Browser protection against cross-site request forgery

Authors:
Wim Maes;Thomas Heyman;Lieven Desmet;Wouter Joosen
Affiliations:
Katholieke Universiteit Leuven, Leuven, Belgium;Katholieke Universiteit Leuven, Leuven, Belgium;Katholieke Universiteit Leuven, Leuven, Belgium;Katholieke Universiteit Leuven, Leuven, Belgium
Venue:
Proceedings of the first ACM workshop on Secure execution of untrusted code
Year:
2009

Citing 3
Cited 5

Robust defenses for cross-site request forgery

Proceedings of the 15th ACM conference on Computer and communications security
SOMA: mutual approval for included content in web pages

Proceedings of the 15th ACM conference on Computer and communications security
Protecting browsers from DNS rebinding attacks

ACM Transactions on the Web (TWEB)

A client-based and server-enhanced defense mechanism for cross-site request forgery

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation

ICISS'10 Proceedings of the 6th international conference on Information systems security
Automatic and precise client-side protection against CSRF attacks

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
A server- and browser-transparent CSRF defense for web 2.0 applications

Proceedings of the 27th Annual Computer Security Applications Conference
CsFire: transparent client-side mitigation of malicious cross-domain requests

ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

As businesses are opening up to the web, securing their web applications becomes paramount. Nevertheless, the number of web application attacks is constantly increasing. Cross-Site Request Forgery (CSRF) is one of the more serious threats to web applications that gained a lot of attention lately. It allows an attacker to perform malicious authorized actions originating in the end-users browser, without his knowledge. This paper presents a client-side policy enforcement framework to transparently protect the end-user against CSRF. To do so, the framework monitors all outgoing web requests within the browser and enforces a configurable cross-domain policy. The default policy is carefully selected to transparently operate in a web 2.0 context. In addition, the paper also proposes an optional server-side policy to improve the accuracy of the client-side policy enforcement. A prototype is implemented as a Firefox extension, and is thoroughly evaluated in a web 2.0 context.