Geodesic
Non-invasive integrity control method for cookie in web applications
Prikladnaya Diskretnaya Matematika. Supplement, no. 8 (2015), pp. 85-89
Cet article a éte moissonné depuis la source Math-Net.Ru

Voir la notice de l'article

A non-invasive integrity control method for cookies in web applications is suggested. The method is based on cryptographic protocols and keying hash functions. It involves the creation and usage of a set of auxiliary cookies. So for every controlled cookie C, there is a cookie containing hmac from cookie C and its expiration date as well as the value of the expiration date itself. This allows to control the value integrity for C and to ensure the impossibility of its deletion. Besides, there is an auxiliary cookie allowing to control integrity of path, domain and other attributes for all controlled cookies. The value integrity for this auxiliary cookie is also provided with the help of hmac. Generally speaking, the proposed method solves the following problems in web applications: providing the integrity value for cookies; protecting cookies from deletion and prolongation, that is, from changing the attribute “expires” and setting the flag session; providing the value integrity for attributes “path” and “domain”; controlling the transmission of cookie with the attribute “secure” over a secure connection. All these functions of the method are quite capable of being implemented in web applications in non-invasive way. Thus, the method can be used in non-invasive protection mechanisms against web application attacks employing cookies as an attack vector.
Keywords: cryptographic protocols, hash functions, web application, HTTP cookie. 
@article{PDMA_2015_8_a31,
     author = {D. N. Kolegov and O. V. Broslavsky and N. E. Oleksov},
     title = {Non-invasive integrity control method for cookie in web applications},
     journal = {Prikladnaya Diskretnaya Matematika. Supplement},
     pages = {85--89},
     year = {2015},
     number = {8},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDMA_2015_8_a31/}
}
TY  - JOUR
AU  - D. N. Kolegov
AU  - O. V. Broslavsky
AU  - N. E. Oleksov
TI  - Non-invasive integrity control method for cookie in web applications
JO  - Prikladnaya Diskretnaya Matematika. Supplement
PY  - 2015
SP  - 85
EP  - 89
IS  - 8
UR  - http://geodesic.mathdoc.fr/item/PDMA_2015_8_a31/
LA  - ru
ID  - PDMA_2015_8_a31
ER  - 
%0 Journal Article
%A D. N. Kolegov
%A O. V. Broslavsky
%A N. E. Oleksov
%T Non-invasive integrity control method for cookie in web applications
%J Prikladnaya Diskretnaya Matematika. Supplement
%D 2015
%P 85-89
%N 8
%U http://geodesic.mathdoc.fr/item/PDMA_2015_8_a31/
%G ru
%F PDMA_2015_8_a31
D. N. Kolegov; O. V. Broslavsky; N. E. Oleksov. Non-invasive integrity control method for cookie in web applications. Prikladnaya Diskretnaya Matematika. Supplement, no. 8 (2015), pp. 85-89. http://geodesic.mathdoc.fr/item/PDMA_2015_8_a31/

[1] Barnett R., The Web Application Defender's Handbook, Battling Hackers and Protecting Users, John Wiley Sons, Indianapolis, 2013, 522 pp.

[2] Reducing Web Application Attack Surface, http://blog.spiderlabs.com/2012/07/reducing-web-apps-attack-surface.html

[3] ModSecurity Advanced Topic of the Week: HMAC Token Protection, http://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-Advanced-Topic-of-the-Week–HMAC-Token-Protection/

[4] Kolegov D. N., “Obschii metod autentifikatsii HTTP-soobschenii v veb-prilozheniyakh na osnove khesh-funktsii”, Prikladnaya diskretnaya matematika. Prilozhenie, 2014, no. 7, 85–89

[5] Fu K., Sit E., Smith K., Feamster N., “Dos and Don'ts of client authentication on the Web”, Proc. 10th USENIX Security Symp., Washington, 2001, 251–268

[6] Liu A., Kovacs J., Huang C., Gouda M., “A secure cookie protocol”, Proc. 14th Intern. Conf. Computer Communications and Networks, 2005, 333–338

[7] Murdoch S., Hardened Stateless Session Cookies, http://www.cl.cam.ac.uk/~sjm217/papers/protocols08cookies.pdf

[8] Prototip modulya neinvazivnogo kontrolya tselostnosti cookie na baze Django, https://github.com/tsu-iscd/django-HTTPauth