Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
SOMA: mutual approval for included content in web pages
Proceedings of the 15th ACM conference on Computer and communications security
Browser protection against cross-site request forgery
Proceedings of the first ACM workshop on Secure execution of untrusted code
Enforcing request integrity in web applications
DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation
ICISS'10 Proceedings of the 6th international conference on Information systems security
CsFire: transparent client-side mitigation of malicious cross-domain requests
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Hi-index | 0.00 |
Cross-Site Request Forgery (CSRF) vulnerabilities constitute one of the most serious web application vulnerabilities, ranking fourth in the CWE/SANS Top 25 Most Dangerous Software Errors. By exploiting this vulnerability, an attacker can submit requests to a web application using a victim user's credentials. A successful attack can lead to compromised accounts, stolen bank funds or information leaks. This paper presents a new server-side defense against CSRF attacks. Our solution, called jCSRF, operates as a serverside proxy, and does not require any server or browser modifications. Thus, it can be deployed by a site administrator without requiring access to web application source code, or the need to understand it. Moreover, protection is achieved without requiring web-site users to make use of a specific browser or a browser plug-in. Unlike previous server-side solutions, jCSRF addresses two key aspects of Web 2.0: extensive use of client-side scripts that can create requests to URLs that do not appear in the HTML page returned to the client; and services provided by two or more collaborating web sites that need to make cross-domain requests.