Research Article
ERI: A New Method for Ensuring Request Integrity
@INPROCEEDINGS{10.4108/eai.18-6-2016.2264203, author={Eryue Zhuang and Zhenzhou Tian and Xiaojun Cui and Jian Li and Zhiwen Wang}, title={ERI: A New Method for Ensuring Request Integrity}, proceedings={The 3rd International Workshop on Data, Text, Web, and Social Network Mining}, publisher={ACM}, proceedings_a={DTWSM}, year={2016}, month={12}, keywords={request integrity cross site request forgery workflow attack aspect oriented programming}, doi={10.4108/eai.18-6-2016.2264203} }
- Eryue Zhuang
Zhenzhou Tian
Xiaojun Cui
Jian Li
Zhiwen Wang
Year: 2016
ERI: A New Method for Ensuring Request Integrity
DTWSM
ACM
DOI: 10.4108/eai.18-6-2016.2264203
Abstract
A series of requests are performed in fixed order to achieve certain requirements in web applications. The request integrity attack (RIA) is applied to steal users' data and identity, by inducing the users to execute malicious requests that are from untrusted sources and violate the regular order. In this paper, an Ensuring Request Integrity (ERI) method is proposed to prevent two major RIAs: Cross Site Request Forgery (CSRF) and Workflow Attack (WF). The AOP (Aspect-Oriented Programming) is applied to instrument monitors into programs during runtime without modifying the source code. Real-time user-application interactions are captured by jQuery event listening, and tokens are dynamically added to ensure the trustworthy of the source and process of each request. By deploying the ERI on six large open source Web applications, the experimental results show that ERI can ensure request integrity without causing negative impacts to the applications and user experience. Moreover, ERI is capable of monitoring and analyzing the dynamical requests and multiple label issue in Web 2.0.