Request dependency integrity: validating web requests using dependencies in the browser environment

摘要

Web requests are the cornerstones of modern web applications. As the browser environment evolves with increasing complexity, attackers have various ways in triggering malicious requests to the server. Traditional security solutions, such as HTTP cookies and session IDs, are insufficient in helping the server to distinguish benign web requests from malicious ones. By design, a web application only expects requests to be generated in certain ways in the browser environment. Therefore, the dynamic browser behaviours and static browser environment that a web request depends on are invariant, which we call request dependency integrity. Based on this observation, we propose a comprehensive approach to validating web requests using dependencies in the browser environment. Our approach extracts the dependency of web requests from the browser, representing it in a request dependency graph (RDG). RDG allows web servers to detect malicious requests through enforcing the request dependency integrity, which is applicable to a wide range of malicious-request-based attacks. We develop an end-to-end solution called ClearRequest and build a prototype in the Firefox browser. We demonstrate the effectiveness of ClearRequest in evaluation using several types of malicious-request-based attacks.