Authentication in distributed systems: theory and practice
ACM Transactions on Computer Systems (TOCS)
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security
Automatic and precise client-side protection against CSRF attacks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
CsFire: transparent client-side mitigation of malicious cross-domain requests
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Scriptless attacks: stealing the pie without touching the sill
Proceedings of the 2012 ACM conference on Computer and communications security
Hi-index | 0.00 |
Cross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today. These attacks exploit ambient authority in browsers (eg cookies, HTTP authentication state), turning them into confused deputies and causing undesired side effects on vulnerable web sites. Existing defenses against CSRFs fall short in their coverage and/or ease of deployment. In this paper, we present a browser/server solution, Allowed Referrer Lists (ARLs), that addresses the root cause of CSRFs and removes ambient authority for participating web sites that want to be resilient to CSRF attacks. Our solution is easy for web sites to adopt and does not affect any functionality on non-participating sites. We have implemented our design in Firefox and have evaluated it with real-world sites. We found that ARLs successfully block CSRF attacks, are simpler to implement than existing defenses, and do not significantly impact browser performance.