Title: Request dependency integrity: validating web requests using dependencies in the browser environment

Authors: Kailas Patil

Addresses: Department of Computer Engineering, Vishwakarma Institute of Information Technology (VIIT), Pune, India

Abstract: Web requests are the cornerstones of modern web applications. As the browser environment evolves with increasing complexity, attackers have various ways in triggering malicious requests to the server. Traditional security solutions, such as HTTP cookies and session IDs, are insufficient in helping the server to distinguish benign web requests from malicious ones. By design, a web application only expects requests to be generated in certain ways in the browser environment. Therefore, the dynamic browser behaviours and static browser environment that a web request depends on are invariant, which we call request dependency integrity. Based on this observation, we propose a comprehensive approach to validating web requests using dependencies in the browser environment. Our approach extracts the dependency of web requests from the browser, representing it in a request dependency graph (RDG). RDG allows web servers to detect malicious requests through enforcing the request dependency integrity, which is applicable to a wide range of malicious-request-based attacks. We develop an end-to-end solution called ClearRequest and build a prototype in the Firefox browser. We demonstrate the effectiveness of ClearRequest in evaluation using several types of malicious-request-based attacks.

Keywords: cross-site request forgery; CSRF; request dependencies; request dependency graph; RDG; session misuse attacks; web request validation; web requests; web browsers; network security; Firefox; malicious requests.

DOI: 10.1504/IJIPSI.2016.082120

International Journal of Information Privacy, Security and Integrity, 2016 Vol.2 No.4, pp.281 - 306

Received: 17 Jun 2016
Accepted: 19 Oct 2016

Published online: 07 Feb 2017 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article