Abstract
Cross origin request attacks (CORA) such as Cross site request forgery (CSRF), cross site timing, etc. continue to pose a threat on the modern day web. Current browser security policies inadequately mitigate these attacks. Additionally, third party authentication services are now the preferred way to carry out identity management between multiple enterprises and web applications. This scenario, called Federated Identity Management (FIM) separates the problem of identity management from the core functionality of an application.
In this paper, we construct formally checkable models and design laboratory simulations to show that FIM is susceptible to cross origin attacks. Further, we employ the Cross Origin Request Policy (CORP) to mitigate such attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Cross-Site Request Forgery (CSRF). https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Cybercrime time-line. http://www.symantec.com/region/sg/homecomputing/library/cybercrime.html
Modify headers for Google Chrome. https://chrome.google.com/webstore/detail/modify-headers-for-google/innpjfdalfhpcoinfnehdnbkglpmogdi
OWASP top 10 application security risks - 2017. https://www.owasp.org/index.php/Top_10_2017-Top_10
ProfileJacking - legal tricks to detect user profile. Blog, https://sakurity.com/blog/2015/03/10/Profilejacking.html
Rivery crossing. http://alloy.mit.edu/alloy/tutorials/online/frame-RC-1.html
Same site cookie. https://www.owasp.org/index.php/SameSite
Security assertion markup language. Article, https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
User logout is vulnerable to CSRF. https://www.drupal.org/node/144538
XSRF in the logout handler. https://sites.google.com/site/bughunteruniversity/nonvuln/logout-xsrf
Yii 1.1: Logout CSRF protection. http://www.yiiframework.com/wiki/190/logout-csrf-protection/
Your social media fingerprint. https://robinlinus.github.io/socialmedia-leak/
Federated SSO primer, April 2015. https://developer.pingidentity.com/en/resources/federated-sso-overview.html
Login/logout CSRF: Time to reconsider? Article, March 2017, https://labs.detectify.com/2017/03/15/loginlogout-csrf-time-to-reconsider/
Agrawall, A., Chaitanya, K., Agrawal, A.K., Choppella, V.: Mitigating browser-based DDoS attacks using CORP. In: Proceedings of the 10th Innovations in Software Engineering Conference, pp. 137–146. ACM (2017)
Elsobky, A.: Novel techniques for user deanonymization attacks. https://0xsobky.github.io/novel-deanonymization-techniques/
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: 2010 23rd IEEE Computer Security Foundations Symposium (CSF), pp. 290–304. IEEE (2010)
Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005). https://doi.org/10.1007/11513988_27
Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for Google apps. In: Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, pp. 1–10. ACM (2008)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 75–88. ACM (2008)
Bhargavan, K., Fournet, C., Gordon, A.D.: Verified reference implementations of WS-security protocols. In: Bravetti, M., Núñez, M., Zavattaro, G. (eds.) WS-FM 2006. LNCS, vol. 4184, pp. 88–106. Springer, Heidelberg (2006). https://doi.org/10.1007/11841197_6
Bortz, A., Boneh, D.: Exposing private information by timing web applications. In: Proceedings of the 16th international Conference on World Wide Web, pp. 621–628. ACM (2007)
Cao, Y., Rastogi, V., Li, Z., Chen, Y., Moshchuk, A.: Redefining web browser principals with a configurable origin policy. In: 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2013)
Chadwick, D.W.: Federated identity management. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007-2009. LNCS, vol. 5705, pp. 96–120. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03829-7_3
Chen, B., Zavarsky, P., Ruhl, R., Lindskog, D.: A study of the effectiveness of CSRF guard. In: 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust (PASSAT) and 2011 IEEE Third Inernational Conference on Social Computing (SocialCom), pp. 1269–1272. IEEE (2011)
Chen, E.Y., Bau, J., Reis, C., Barth, A., Jackson, C.: App isolation: get the security of multiple browsers with just one. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 227–238. ACM (2011)
Chu, Y.-H., Feigenbaum, J., LaMacchia, B., Resnick, P., Strauss, M.: REFEREE: trust management for web applications. Comput. Netw. ISDN Syst. 29(8), 953–964 (1997)
Clarke, E.M., Jha, S., Marrero, W.: Verifying security protocols with Brutus. ACM Trans. Softw. Eng. Methodol. (TOSEM) 9(4), 443–487 (2000)
Cremers, C.J.F.: The Scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70545-1_38
De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23822-2_6
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590. ACM (2006)
Gordon, A.D., Pucella, R.: Validating a web service security abstraction by typing. Formal Aspects Comput. 17(3), 277–318 (2005)
Hardt, D.: The OAuth 2.0 authorization framework (2012)
Grossman, J.: Login detection, whose problem is it? March 2008. http://blog.jeremiahgrossman.com/2008/03/login-detection-whose-problem-is-it.html
Johns, M., Winter, J.: RequestRodeo: client side protection against session riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)
Krombholz, K., Hobel, H., Huber, M., Weippl, E.: Advanced social engineering attacks. J. Inf. Secur. Appl. 22, 113–122 (2015)
Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_15
Oda, T., Wurster, G., van Oorschot, P.C., Somayaji, A.: SOMA: mutual approval for included content in web pages. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 89–98. ACM (2008)
Wagenseil, P.: LastPass can be spoofed in devastating phishing attacks. Article, January 2016. www.tomsguide.com/us/lastpass-phishing-attacks,news-22139.html
Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11–16. ACM (2006)
Hansen, R., Grossman, J.: Clickjacking. Blog, December 2008, http://www.sectheory.com/clickjacking.htm
Ruddy, M.: Decision point for federated identity and cross-domain single sign-on. Article, April 2015, https://www.gartner.com/doc/3029229/decision-point-federated-identity-crossdomain
Spett, K.: Cross-site scripting. SPI Labs 1, 1–20 (2005)
Morgan, S.: Cyber crime costs projected to reach 2 trillion by 2019. Article, January 2016. https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#3c5ecbfe3a91
Telikicherla, K.C., Agrawall, A., Choppella, V.: A formal model of web security showing malicious cross origin requests and its mitigation using CORP. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy, ICISSP 2017, Porto, Portugal, 19–21 February 2017, pp. 516–523 (2017). https://doi.org/10.5220/0006261105160523
Telikicherla, K.C., Choppella, V., Bezawada, B.: CORP: a browser policy to mitigate web infiltration attacks. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 277–297. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13841-1_16
Tom, A.: Detect if visitors are logged into Twitter, Facebook or Google+, February 2012. http://www.tomanthony.co.uk/blog/detect-visitor-social-networks/
W3C: History of the World Wide Web. Technical report (1989). http://www.w3.org/Consortium/facts#history
Zalewski, M.: Browser Security Handbook. Technical report (2011), https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Agrawall, A., Maheshwari, S., Bandyopadhyay, P., Choppella, V. (2017). Modelling and Mitigation of Cross-Origin Request Attacks on Federated Identity Management Using Cross Origin Request Policy. In: Shyamasundar, R., Singh, V., Vaidya, J. (eds) Information Systems Security. ICISS 2017. Lecture Notes in Computer Science(), vol 10717. Springer, Cham. https://doi.org/10.1007/978-3-319-72598-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-72598-7_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72597-0
Online ISBN: 978-3-319-72598-7
eBook Packages: Computer ScienceComputer Science (R0)