TY - GEN
T1 - Enforcing request integrity in web applications
AU - Jayaraman, Karthick
AU - Lewandowski, Grzegorz
AU - Talaga, Paul G.
AU - Chapin, Steve J.
PY - 2010
Y1 - 2010
N2 - A web application is constructed to process an intended sequence of requests. Failing to enforce the intended sequences can lead to request integrity (RI) attacks, wherein an attacker forces an application into processing an unintended request sequence. Cross-site-request forgeries (CSRF) and workflow violations are two classes of RI attacks. Enforcing the intended request sequences is essential for ensuring the integrity of the application. We describe a new approach for enforcing request integrity in a web application, and its implementation in a tool called Bayawak. Under our approach, the intended request sequences of an application are specified as a security policy, and a framework-level method enforces the security policy strictly and transparently without requiring changes in the application's source code. Our approach can be compared to operating system (OS) support for access control-access control is not built into the application, but based on OS level policy settings. We evaluated Bayawak using nine open source web applications. Our results indicate that our approach is effective against request integrity attacks and incurs negligible overhead.
AB - A web application is constructed to process an intended sequence of requests. Failing to enforce the intended sequences can lead to request integrity (RI) attacks, wherein an attacker forces an application into processing an unintended request sequence. Cross-site-request forgeries (CSRF) and workflow violations are two classes of RI attacks. Enforcing the intended request sequences is essential for ensuring the integrity of the application. We describe a new approach for enforcing request integrity in a web application, and its implementation in a tool called Bayawak. Under our approach, the intended request sequences of an application are specified as a security policy, and a framework-level method enforces the security policy strictly and transparently without requiring changes in the application's source code. Our approach can be compared to operating system (OS) support for access control-access control is not built into the application, but based on OS level policy settings. We evaluated Bayawak using nine open source web applications. Our results indicate that our approach is effective against request integrity attacks and incurs negligible overhead.
UR - http://www.scopus.com/inward/record.url?scp=77958475027&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77958475027&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-13739-6_15
DO - 10.1007/978-3-642-13739-6_15
M3 - Conference contribution
AN - SCOPUS:77958475027
SN - 3642137385
SN - 9783642137389
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 225
EP - 240
BT - Data and Applications Security and Privacy XXIV - 24th Annual IFIP WG 11.3 Working Conference, Proceedings
T2 - 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy
Y2 - 21 June 2010 through 21 June 2010
ER -