CsFire: transparent client-side mitigation of malicious cross-domain requests

Authors:
Philippe De Ryck;Lieven Desmet;Thomas Heyman;Frank Piessens;Wouter Joosen
Affiliations:
IBBT-DistriNet, Katholieke Universiteit Leuven, Leuven, Belgium;IBBT-DistriNet, Katholieke Universiteit Leuven, Leuven, Belgium;IBBT-DistriNet, Katholieke Universiteit Leuven, Leuven, Belgium;IBBT-DistriNet, Katholieke Universiteit Leuven, Leuven, Belgium;IBBT-DistriNet, Katholieke Universiteit Leuven, Leuven, Belgium
Venue:
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Year:
2010

Citing 3
Cited 10

Defeating script injection attacks with browser-enforced embedded policies

Proceedings of the 16th international conference on World Wide Web
Robust defenses for cross-site request forgery

Proceedings of the 15th ACM conference on Computer and communications security
Browser protection against cross-site request forgery

Proceedings of the first ACM workshop on Secure execution of untrusted code

Towards revealing JavaScript program intents using abstract interpretation

Proceedings of the Sixth Asian Internet Engineering Conference
SessionShield: lightweight protection against session hijacking

ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Automatic and precise client-side protection against CSRF attacks

ESORICS'11 Proceedings of the 16th European conference on Research in computer security
A server- and browser-transparent CSRF defense for web 2.0 applications

Proceedings of the 27th Annual Computer Security Applications Conference
WebJail: least-privilege integration of third-party components in web mashups

Proceedings of the 27th Annual Computer Security Applications Conference
Gibraltar: exposing hardware devices to web pages using AJAX

WebApps'12 Proceedings of the 3rd USENIX conference on Web Application Development
Better security and privacy for web browsers: a survey of techniques, and a new implementation

FAST'11 Proceedings of the 8th international conference on Formal Aspects of Security and Trust
DEMACRO: defense against malicious cross-domain requests

RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Lightweight server support for browser-based CSRF protection

Proceedings of the 22nd international conference on World Wide Web
Quite a mess in my cookie jar!: leveraging machine learning to protect web authentication

Proceedings of the 23rd international conference on World wide web

Quantified Score

Hi-index	0.00

Visualization

Abstract

Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security – or the lack thereof – making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic.