W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2018

Re: Formal Model of Malicious Cross Origin Requests Mitigation using CORP (was: A primer on cross-origin information leaks

From: Artur Janc <aaj@google.com>
Date: Thu, 24 May 2018 14:24:22 +0200
Message-ID: <CAPYVjqqQ0n3Vg_LOfV9OWRVTsWyQafr4E2V5M_T-BGzGC_qxPQ@mail.gmail.com>
To: Jeff Hodges <Jeff.Hodges@kingsmountain.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Thanks for the links, Jeff! I hadn't seen the papers, they are interesting
and they indeed touch upon some of the same problems that we've been
discussing.

The general CORP approach of not letting the server process a request
unless the initiator and context are explicitly allowed to access a given
resource (e.g. foo.example.org can request /images/foo.png as an image) is
similar conceptually to what Sec-Metadata aims to achieve. The two main
differences are:
- With Sec-Metadata, the decision about handling the request would be made
by the server rather than by a declarative policy. This allows for building
server-side reporting and is likely more flexible than a declarative
approach.
- CORP has a (predictable and likely unavoidable) problem of not having any
insight into the structure of the web application, and relies on paths to
define a hierarchy of resources and enforce security rules. In practice,
this is very difficult to retrofit into moderately complex applications,
which often serve different types of resources from the same endpoint,
frequently change the URL structure, etc. We've already seen problems with
this with CSP's path-based script-src whitelists.

My main takeaway from reading the papers is that the approach they outline
is reasonable, but the mechanics of how they propose to enforce the
security restrictions wouldn't really work. But that's still an interesting
approach/result, the articles will be useful as a reference in future
discussions.

Cheers,
-A


On Wed, May 16, 2018 at 6:37 PM =JeffH <Jeff.Hodges@kingsmountain.com>
wrote:

> wrt cross-origin information leaks, I'm wondering whether folks here are
> aware of this relatively recent work that seems on-topic:
>
> A Formal Model of Web Security Showing Malicious Cross Origin
> Requests and Its Mitigation using CORP
> Krishna Chaitanya Telikcherla, Akash Agrawall and Venkatesh Choppella
> <
> https://pdfs.semanticscholar.org/5746/7a3d74556e8e7c50609e24aa081918b2d006.pdf
> >
>
> Abstract:
>
> This document describes a web security model to analyse cross origin
> requests and block them using CORP, a browser security policy proposed
> for mitigating Cross Origin Request Attacks (CORA) such as CSRF,
> Clickjacking, Web application timing, etc. CORP is configured by website
> administrators and sent as an HTTP response header to the browser. A
> browser which is CORP-enabled will interpret the policy and enforce it
> on all cross-origin HTTP requests originating from other tabs of the
> browser, thus preventing malicious crossorigin requests. In this
> document we use Alloy, a finite state model finder, to formalize a web
> security model to analyse malicious cross-origin attacks and verify that
> CORP can be used to mitigate such attacks.
>
>
> Also perhaps of interest:
>
> Mitigating Web-borne Security Threats by Enhancing Browser Security
> Policies
> KC Telikicherla (masters thesis)
> <
> http://web2py.iiit.ac.in/research_centres/publications/download/mastersthesis.pdf.9c510731811e394c.4b726973686e617468657369732e706466.pdf
> >
>
>
> CORP: A browser policy to mitigate web in ltration attacks (2014)
> https://link.springer.com/chapter/10.1007/978-3-319-13841-1_16
>
>
> Mitigating browser-based DDoS attacks using CORP (2017)
> <
> https://pdfs.semanticscholar.org/17b0/50d9043e40af373335f0e2564257477aef11.pdf
> >
>
>
>
> HTH,
>
> =JeffH
>
>
Received on Thursday, 24 May 2018 12:24:58 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 24 May 2018 12:24:59 UTC