W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2018

Formal Model of Malicious Cross Origin Requests Mitigation using CORP (was: A primer on cross-origin information leaks

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Wed, 16 May 2018 09:31:56 -0700
To: W3C WebAppSec WG <public-webappsec@w3.org>
Message-ID: <9d972cb9-9bb2-02ba-cf51-67ab44ae7056@KingsMountain.com>
wrt cross-origin information leaks, I'm wondering whether folks here are 
aware of this relatively recent work that seems on-topic:

A Formal Model of Web Security Showing Malicious Cross Origin
Requests and Its Mitigation using CORP
Krishna Chaitanya Telikcherla, Akash Agrawall and Venkatesh Choppella
<https://pdfs.semanticscholar.org/5746/7a3d74556e8e7c50609e24aa081918b2d006.pdf>

Abstract:

This document describes a web security model to analyse cross origin 
requests and block them using CORP, a browser security policy proposed 
for mitigating Cross Origin Request Attacks (CORA) such as CSRF, 
Clickjacking, Web application timing, etc. CORP is configured by website 
administrators and sent as an HTTP response header to the browser. A 
browser which is CORP-enabled will interpret the policy and enforce it 
on all cross-origin HTTP requests originating from other tabs of the 
browser, thus preventing malicious crossorigin requests. In this 
document we use Alloy, a finite state model finder, to formalize a web 
security model to analyse malicious cross-origin attacks and verify that 
CORP can be used to mitigate such attacks.


Also perhaps of interest:

Mitigating Web-borne Security Threats by Enhancing Browser Security Policies
KC Telikicherla (masters thesis)
<http://web2py.iiit.ac.in/research_centres/publications/download/mastersthesis.pdf.9c510731811e394c.4b726973686e617468657369732e706466.pdf>


CORP: A browser policy to mitigate web inltration attacks (2014)
https://link.springer.com/chapter/10.1007/978-3-319-13841-1_16


Mitigating browser-based DDoS attacks using CORP (2017)
<https://pdfs.semanticscholar.org/17b0/50d9043e40af373335f0e2564257477aef11.pdf>



HTH,

=JeffH
Received on Wednesday, 16 May 2018 16:32:35 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 16 May 2018 16:32:35 UTC