Modeling user interactions for (fun and) profit: Preventing request forgery attacks on web applications

Karthick Jayaraman, Paul G. Talaga, Grzegorz Lewandowski, Steve J. Chapin, Munawar Hafiz

Research output: Chapter in Book/Entry/PoemConference contribution

Abstract

The goal of a web-request forgery attacker is to manipulate the intended workflow of a web application. Applications that fail to enforce the designer-intended interactions are vulnerable to this type of attack. This paper proposes a systematic methodology for designing web applications to strictly enforce the designer-intended interactions. Our approach captures workflow using the Web DFA model and applies four design patterns to strictly enforce the intended interactions. We argue that using patterns in conjunction with a Web DFA model produces web applications that are secure from request forgery attacks by construction; more-over, our mechanism could be useful in designing workflow-based applications in other domains.

Original languageEnglish (US)
Title of host publicationPLoP09 - 16th Conference on Pattern Languages of Programs, Proceedings
DOIs
StatePublished - 2010
Event16th Conference on Pattern Languages of Programs, PLoP09 - Chicago, IL, United States
Duration: Aug 28 2009Aug 30 2009

Publication series

NameACM International Conference Proceeding Series

Other

Other16th Conference on Pattern Languages of Programs, PLoP09
Country/TerritoryUnited States
CityChicago, IL
Period8/28/098/30/09

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Modeling user interactions for (fun and) profit: Preventing request forgery attacks on web applications'. Together they form a unique fingerprint.

Cite this