Memento: A Framework for Hardening Web Applications

Free registration required

Executive Summary

The authors propose a generic framework called Memento for systematically hardening web applications. Memento models a web application's behavior using a Deterministic Finite Automata (DFA), where each server-side script is a state, and state transitions are triggered by HTTP requests. They use this DFA to defend against Cross-Site Request Forgery (CSRF) and Cross-Site-Scripting (XSS) attacks. The client web browser and the application server each maintain a view of the application state. XSS and CSRF attacks either create an interaction that does not conform to the interaction model or force the web application's view of the state to diverge from the user's view.

  • Format: PDF
  • Size: 394.6 KB