A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP

Krishna Chaitanya Telikicherla; Akash Agrawall; Venkatesh Choppella

doi:10.5220/0006261105160523

A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP

Krishna Chaitanya Telikicherla, Akash Agrawall, Venkatesh Choppella

2017

Abstract

This document describes a web security model to analyse cross origin requests and block them using CORP, a browser security policy proposed for mitigating Cross Origin Request Attacks (CORA) such as CSRF, Click-jacking, Web application timing, etc. CORP is configured by website administrators and sent as an HTTP response header to the browser. A browser which is CORP-enabled will interpret the policy and enforce it on all cross-origin HTTP requests originating from other tabs of the browser, thus preventing malicious crossorigin requests. In this document we use Alloy, a finite state model finder, to formalize a web security model to analyse malicious cross-origin attacks and verify that CORP can be used to mitigate such attacks.

Download

Paper Citation

in Harvard Style

Telikicherla K., Agrawall A. and Choppella V. (2017). A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 516-523. DOI: 10.5220/0006261105160523

in Bibtex Style

@conference{icissp17,
author={Krishna Chaitanya Telikicherla and Akash Agrawall and Venkatesh Choppella},
title={A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={516-523},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006261105160523},
isbn={978-989-758-209-7},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP
SN - 978-989-758-209-7
AU - Telikicherla K.
AU - Agrawall A.
AU - Choppella V.
PY - 2017
SP - 516
EP - 523
DO - 10.5220/0006261105160523