ERI: A New Method for Ensuring Request Integrity

A series of requests are performed in fixed order to achieve certain requirements in web applications. The request integrity attack (RIA) is applied to steal users' data and identity, by inducing the users to execute malicious requests that are from untrusted sources and violate the regular order. In this paper, an Ensuring Request Integrity (ERI) method is proposed to prevent two major RIAs: Cross Site Request Forgery (CSRF) and Workflow Attack (WF). The AOP (Aspect-Oriented Programming) is applied to instrument monitors into programs during runtime without modifying the source code. Real-time user-application interactions are captured by jQuery event listening, and tokens are dynamically added to ensure the trustworthy of the source and process of each request. By deploying the ERI on six large open source Web applications, the experimental results show that ERI can ensure request integrity without causing negative impacts to the applications and user experience. Moreover, ERI is capable of monitoring and analyzing the dynamical requests and multiple label issue in Web 2.0.