CORP: A Browser Policy to Mitigate Web Infiltration Attacks

Cross origin interactions constitute the core of today’s collaborative Word Wide Web. They are, however, also the cause of malicious behaviour like Cross-Site Request Forgery (CSRF), clickjacking, and cross-site timing attacks, which we collectively refer as Web Infiltration attacks. These attacks are a rampant source of information stealth and privacy intrusion on the web. Existing browser security policies like Same Origin Policy, either ignore this class of attacks or, like Content Security Policy, insufficiently deal with them.

[1]  Paul C. van Oorschot,et al.  SOMA: mutual approval for included content in web pages , 2008, CCS.

[2]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[3]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[4]  Collin Jackson,et al.  Cross-origin pixel stealing: timing attacks using CSS filters , 2013, CCS.

[5]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[6]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.

[7]  Helen J. Wang,et al.  Lightweight server support for browser-based CSRF protection , 2013, WWW.

[8]  Úlfar Erlingsson,et al.  Engineering Secure Software and Systems , 2011, Lecture Notes in Computer Science.

[9]  Ninghui Li,et al.  Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection , 2009, Financial Cryptography.

[10]  Vijay Atluri,et al.  Computer Security – ESORICS 2011 , 2011, Lecture Notes in Computer Science.

[11]  Christopher Krügel,et al.  A solution for the automated detection of clickjacking attacks , 2010, ASIACCS '10.

[12]  Sebastian Lekies,et al.  On the Fragility and Limitations of Current Browser-Provided Clickjacking Protection Schemes , 2012, WOOT.

[13]  Tim Berners-Lee,et al.  Hypertext Markup Language - 2.0 , 1995, RFC.

[14]  Wenliang Du,et al.  ESCUDO: A Fine-Grained Protection Model for Web Browsers , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[15]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[16]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[17]  Wouter Joosen,et al.  Automatic and Precise Client-Side Protection against CSRF Attacks , 2011, ESORICS.

[18]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[19]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[20]  Martin Johns,et al.  RequestRodeo: Client Side Protection against Session Riding , 2006 .

[21]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[22]  Dan Boneh,et al.  Busting frame busting a study of clickjacking vulnerabilities on popular sites , 2010 .

[23]  Wouter Joosen,et al.  Browser protection against cross-site request forgery , 2009, SecuCode '09.

[24]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[25]  Wouter Joosen,et al.  CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests , 2010, ESSoS.

[26]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.