Intrusion Detection via Static Analysis
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Anomaly detection of web-based attacks
Proceedings of the 10th ACM conference on Computer and communications security
Proceedings of the 12th ACM conference on Computer and communications security
An anomaly-driven reverse proxy for web applications
Proceedings of the 2006 ACM symposium on Applied computing
Learning DFA representations of HTTP for protecting web applications
Computer Networks: The International Journal of Computer and Telecommunications Networking
SIF: enforcing confidentiality and integrity in web applications
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
Using static analysis for Ajax intrusion detection
Proceedings of the 18th international conference on World wide web
Precise interface identification to improve testing and analysis of web applications
Proceedings of the eighteenth international symposium on Software testing and analysis
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security
Ripley: automatically securing web 2.0 applications through replicated execution
Proceedings of the 16th ACM conference on Computer and communications security
Swaddler: an approach for the anomaly-based detection of state violations in web applications
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction
Proceedings of the 18th ACM conference on Computer and communications security
Position paper: why are there so many vulnerabilities in web applications?
Proceedings of the 2011 workshop on New security paradigms workshop
A server- and browser-transparent CSRF defense for web 2.0 applications
Proceedings of the 27th Annual Computer Security Applications Conference
Control-Flow integrity in web applications
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
| Hi-index | 0.00 |
A web application is constructed to process an intended sequence of requests. Failing to enforce the intended sequences can lead to request integrity (RI) attacks, wherein an attacker forces an application into processing an unintended request sequence. Cross-site-request forgeries (CSRF) and workflow violations are two classes of RI attacks. Enforcing the intended request sequences is essential for ensuring the integrity of the application. We describe a new approach for enforcing request integrity in a web application, and its implementation in a tool called BAYAWAK. Under our approach, the intended request sequences of an application are specified as a security policy, and a framework-level method enforces the security policy strictly and transparently without requiring changes in the application's source code. Our approach can be compared to operating system (OS) support for access control--access control is not built into the application, but based on OS level policy settings. We evaluated BAYAWAK using nine open source web applications. Our results indicate that our approach is effective against request integrity attacks and incurs negligible overhead.