Abstract:
A non-invasive integrity control method for cookies in web applications is suggested. The method is based on cryptographic protocols and keying hash functions. It involves the creation and usage of a set of auxiliary cookies. So for every controlled cookie C, there is a cookie containing hmac from cookie C and its expiration date as well as the value of the expiration date itself. This allows to control the value integrity for C and to ensure the impossibility of its deletion. Besides, there is an auxiliary cookie allowing to control integrity of path, domain and other attributes for all controlled cookies. The value integrity for this auxiliary cookie is also provided with the help of hmac. Generally speaking, the proposed method solves the following problems in web applications: providing the integrity value for cookies; protecting cookies from deletion and prolongation, that is, from changing the attribute “expires” and setting the flag session; providing the value integrity for attributes “path” and “domain”; controlling the transmission of cookie with the attribute “secure” over a secure connection. All these functions of the method are quite capable of being implemented in web applications in non-invasive way. Thus, the method can be used in non-invasive protection mechanisms against web application attacks employing cookies as an attack vector.
Keywords:cryptographic protocols, hash functions, web application, HTTP cookie.