Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
Browser protection against cross-site request forgery
Proceedings of the first ACM workshop on Secure execution of untrusted code
Towards revealing JavaScript program intents using abstract interpretation
Proceedings of the Sixth Asian Internet Engineering Conference
SessionShield: lightweight protection against session hijacking
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Automatic and precise client-side protection against CSRF attacks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
A server- and browser-transparent CSRF defense for web 2.0 applications
Proceedings of the 27th Annual Computer Security Applications Conference
WebJail: least-privilege integration of third-party components in web mashups
Proceedings of the 27th Annual Computer Security Applications Conference
Gibraltar: exposing hardware devices to web pages using AJAX
WebApps'12 Proceedings of the 3rd USENIX conference on Web Application Development
Better security and privacy for web browsers: a survey of techniques, and a new implementation
FAST'11 Proceedings of the 8th international conference on Formal Aspects of Security and Trust
DEMACRO: defense against malicious cross-domain requests
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Lightweight server support for browser-based CSRF protection
Proceedings of the 22nd international conference on World Wide Web
Quite a mess in my cookie jar!: leveraging machine learning to protect web authentication
Proceedings of the 23rd international conference on World wide web
Hi-index | 0.00 |
Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security – or the lack thereof – making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic.