Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Protecting browser state from web privacy attacks
Proceedings of the 15th international conference on World Wide Web
InfoScale '06 Proceedings of the 1st international conference on Scalable information systems
Puppetnets: misusing web browsers as a distributed attack infrastructure
Proceedings of the 13th ACM conference on Computer and communications security
Foundations of Security: What Every Programmer Needs to Know
Foundations of Security: What Every Programmer Needs to Know
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
Protecting browsers from dns rebinding attacks
Proceedings of the 14th ACM conference on Computer and communications security
Forcehttps: protecting high-security web sites from network attacks
Proceedings of the 17th international conference on World Wide Web
Securing frame communication in browsers
SS'08 Proceedings of the 17th conference on Security symposium
XSS Attacks: Cross Site Scripting Exploits and Defense
XSS Attacks: Cross Site Scripting Exploits and Defense
CAPTCHA: using hard AI problems for security
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
WSKE: web server key enabled cookies
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Characterizing insecure javascript practices on the web
Proceedings of the 18th international conference on World wide web
XCS: cross channel scripting and its impact on web applications
Proceedings of the 16th ACM conference on Computer and communications security
Browser protection against cross-site request forgery
Proceedings of the first ACM workshop on Secure execution of untrusted code
Browser-Based Intrusion Prevention System
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Alhambra: a system for creating, enforcing, and testing browser security policies
Proceedings of the 19th international conference on World wide web
The emergence of cross channel scripting
Communications of the ACM
An architecture for enforcing end-to-end access control over web applications
Proceedings of the 15th ACM symposium on Access control models and technologies
Rootkits for JavaScript environments
WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies
Compositional System Security with Interface-Confined Adversaries
Electronic Notes in Theoretical Computer Science (ENTCS)
Symbolic security analysis of ruby-on-rails web applications
Proceedings of the 17th ACM conference on Computer and communications security
Protecting browsers from cross-origin CSS attacks
Proceedings of the 17th ACM conference on Computer and communications security
Enforcing request integrity in web applications
DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
MOR: monitoring and measurements through the onion router
PAM'10 Proceedings of the 11th international conference on Passive and active measurement
A client-based and server-enhanced defense mechanism for cross-site request forgery
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Webseclab security education workbench
CSET'10 Proceedings of the 3rd international conference on Cyber security experimentation and test
An analysis of private browsing modes in modern browsers
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation
ICISS'10 Proceedings of the 6th international conference on Information systems security
Proceedings of the 16th Conference on Pattern Languages of Programs
An empirical study on the security of cross-domain policies in rich internet applications
Proceedings of the Fourth European Workshop on System Security
Analyzing inter-application communication in Android
MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications, and services
Mitigating cross-site form history spamming attacks with domain-based ranking
DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
Putting out a HIT: crowdsourcing malware installs
WOOT'11 Proceedings of the 5th USENIX conference on Offensive technologies
Toward secure embedded web interfaces
SEC'11 Proceedings of the 20th USENIX conference on Security
Permission re-delegation: attacks and defenses
SEC'11 Proceedings of the 20th USENIX conference on Security
Quire: lightweight provenance for smart phone operating systems
SEC'11 Proceedings of the 20th USENIX conference on Security
Automatic and precise client-side protection against CSRF attacks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Timing is everything: the importance of history detection
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
The power of recognition: secure single sign-on using TLS channel bindings
Proceedings of the 7th ACM workshop on Digital identity management
Artificial intelligence and the future of cybersecurity
Proceedings of the 4th ACM workshop on Security and artificial intelligence
Fear the EAR: discovering and mitigating execution after redirect vulnerabilities
Proceedings of the 18th ACM conference on Computer and communications security
Fortifying web-based applications automatically
Proceedings of the 18th ACM conference on Computer and communications security
SudoWeb: minimizing information disclosure to third parties in single sign-on platforms
ISC'11 Proceedings of the 14th international conference on Information security
Position paper: why are there so many vulnerabilities in web applications?
Proceedings of the 2011 workshop on New security paradigms workshop
A server- and browser-transparent CSRF defense for web 2.0 applications
Proceedings of the 27th Annual Computer Security Applications Conference
SAFERPHP: finding semantic vulnerabilities in PHP applications
Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
CsFire: transparent client-side mitigation of malicious cross-domain requests
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
ARC: protecting against HTTP parameter pollution attacks using application request caches
ACNS'12 Proceedings of the 10th international conference on Applied Cryptography and Network Security
Exploring the ecosystem of referrer-anonymizing services
PETS'12 Proceedings of the 12th international conference on Privacy Enhancing Technologies
Establishing browser security guarantees through formal shim verification
Security'12 Proceedings of the 21st USENIX conference on Security symposium
AdSplit: separating smartphone advertising from applications
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Better security and privacy for web browsers: a survey of techniques, and a new implementation
FAST'11 Proceedings of the 8th international conference on Formal Aspects of Security and Trust
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
On the fragility and limitations of current browser-provided clickjacking protection schemes
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Web-based attacks on host-proof encrypted storage
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Reducing attack surfaces for intra-application communication in android
Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
Proceedings of the 2012 ACM conference on Computer and communications security
FlowFox: a web browser with flexible and precise information flow control
Proceedings of the 2012 ACM conference on Computer and communications security
Scriptless attacks: stealing the pie without touching the sill
Proceedings of the 2012 ACM conference on Computer and communications security
Detecting and analyzing insecure component usage
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
BetterAuth: web authentication revisited
Proceedings of the 28th Annual Computer Security Applications Conference
Keys to the cloud: formal analysis and concrete attacks on encrypted web storage
POST'13 Proceedings of the Second international conference on Principles of Security and Trust
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
Securing web-clients with instrumented code and dynamic runtime monitoring
Journal of Systems and Software
Embassies: radically refactoring the web
nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
Lightweight server support for browser-based CSRF protection
Proceedings of the 22nd international conference on World Wide Web
Toward principled browser security
HotOS'13 Proceedings of the 14th USENIX conference on Hot Topics in Operating Systems
Content-based isolation: rethinking isolation policy design on client systems
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Unauthorized origin crossing on mobile platforms: threats and mitigation
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Auto-FBI: a user-friendly approach for secure access to sensitive content on the web
Proceedings of the 29th Annual Computer Security Applications Conference
Measuring the practical impact of DNSSEC deployment
SEC'13 Proceedings of the 22nd USENIX conference on Security
Gradual typing embedded securely in JavaScript
Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
Flow stealing: A well-timed redirection attack
Journal of Computer Security - Research in Computer Security and Privacy: Emerging Trends
Hi-index | 0.02 |
Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the honest web site as the attacker. The severity of a login CSRF vulnerability varies by site, but it can be as severe as a cross-site scripting vulnerability. We detail three major CSRF defense techniques and find shortcomings with each technique. Although the HTTP Referer header could provide an effective defense, our experimental observation of 283,945 advertisement impressions indicates that the header is widely blocked at the network layer due to privacy concerns. Our observations do suggest, however, that the header can be used today as a reliable CSRF defense over HTTPS, making it particularly well-suited for defending against login CSRF. For the long term, we propose that browsers implement the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns.