Formal Model of Malicious Cross Origin Requests Mitigation using CORP (was: A primer on cross-origin information leaks

wrt cross-origin information leaks, I'm wondering whether folks here are 
aware of this relatively recent work that seems on-topic:

A Formal Model of Web Security Showing Malicious Cross Origin
Requests and Its Mitigation using CORP
Krishna Chaitanya Telikcherla, Akash Agrawall and Venkatesh Choppella


This document describes a web security model to analyse cross origin 
requests and block them using CORP, a browser security policy proposed 
for mitigating Cross Origin Request Attacks (CORA) such as CSRF, 
Clickjacking, Web application timing, etc. CORP is configured by website 
administrators and sent as an HTTP response header to the browser. A 
browser which is CORP-enabled will interpret the policy and enforce it 
on all cross-origin HTTP requests originating from other tabs of the 
browser, thus preventing malicious crossorigin requests. In this 
document we use Alloy, a finite state model finder, to formalize a web 
security model to analyse malicious cross-origin attacks and verify that 
CORP can be used to mitigate such attacks.

Also perhaps of interest:

Mitigating Web-borne Security Threats by Enhancing Browser Security Policies
KC Telikicherla (masters thesis)

CORP: A browser policy to mitigate web inltration attacks (2014)

Mitigating browser-based DDoS attacks using CORP (2017)



Received on Wednesday, 16 May 2018 16:32:35 UTC