I am working under Dr. Venkatesh Choppella in the field of web security. We analyse the policy CORP (Cross Origin Request Policy)[ link], which mitigates cross-origin request attacks. We study a major attack, browser-based DDoS attack, and show that it can be mitigated using CORP.
Our next research work involves:
1. Modelling a Federated Identity Management (FIM) transaction and showing that CORP doesn't affect such complex cross-origin transaction.
2. Implementing CORP inside chromium and finding the overhead that CORP has in mitigating against cross-origin request attack.
The primary challenge we think would be while implementing CORP in chromium. Chromium has a huge code base (approx 43.5 GB). Implementing CORP inside chromium will be one of the major challenges.
We find one of the biggest applications of CORP, i.e. mitigating browser-based DDoS attack. We will verify the robustness of CORP using formal modelling (alloy language). We will implement CORP in browser directly and find its overhead in mitigating the attack.
We have shown that CORP can mitigate a browser-based DDoS attacks within one second thereby allowing the server to serve user requests.
Paper accepted in ISEC'17 (Link): Title: Mitigating Browser-based DDoS Attacks using CORP Authors: Akash Agrawall, Krishna Chaitanya Telikicherla, Arnav Kumar Agrawal and Venkatesh Choppella