The 3rd International Workshop on Data, Text, Web, and Social Network Mining

Research Article

ERI: A New Method for Ensuring Request Integrity

  • @INPROCEEDINGS{10.4108/eai.18-6-2016.2264203,
        author={Eryue Zhuang and Zhenzhou Tian and Xiaojun Cui and Jian Li and Zhiwen Wang},
        title={ERI: A New Method for Ensuring Request Integrity},
        proceedings={The 3rd International Workshop on Data, Text, Web, and Social Network Mining},
        publisher={ACM},
        proceedings_a={DTWSM},
        year={2016},
        month={12},
        keywords={request integrity cross site request forgery workflow attack aspect oriented programming},
        doi={10.4108/eai.18-6-2016.2264203}
    }
    
  • Eryue Zhuang
    Zhenzhou Tian
    Xiaojun Cui
    Jian Li
    Zhiwen Wang
    Year: 2016
    ERI: A New Method for Ensuring Request Integrity
    DTWSM
    ACM
    DOI: 10.4108/eai.18-6-2016.2264203
Eryue Zhuang1,*, Zhenzhou Tian1, Xiaojun Cui1, Jian Li1, Zhiwen Wang1
  • 1: Xi’an Jiaotong University
*Contact email: zhuangeryue@stu.xjtu.edu.cn

Abstract

A series of requests are performed in fixed order to achieve certain requirements in web applications. The request integrity attack (RIA) is applied to steal users' data and identity, by inducing the users to execute malicious requests that are from untrusted sources and violate the regular order. In this paper, an Ensuring Request Integrity (ERI) method is proposed to prevent two major RIAs: Cross Site Request Forgery (CSRF) and Workflow Attack (WF). The AOP (Aspect-Oriented Programming) is applied to instrument monitors into programs during runtime without modifying the source code. Real-time user-application interactions are captured by jQuery event listening, and tokens are dynamically added to ensure the trustworthy of the source and process of each request. By deploying the ERI on six large open source Web applications, the experimental results show that ERI can ensure request integrity without causing negative impacts to the applications and user experience. Moreover, ERI is capable of monitoring and analyzing the dynamical requests and multiple label issue in Web 2.0.