Abstract
Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security – or the lack thereof – making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Adobe. Adobe Flash Player 9 security (July 2008)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for Cross-Site Request Forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 75–88 (2008)
Crocker, D., Overell, P.: Augmented BNF for syntax specifications: ABNF (2008), http://tools.ietf.org/html/rfc5234
Esposito, D.: Take advantage of ASP.NET built-in features to fend off web attacks (January 2005), http://msdn.microsoft.com/en-us/library/ms972969.aspx
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1, rfc2616 (1999), http://tools.ietf.org/html/rfc2616
Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns. Addison-Wesley, Reading (1995)
Chromium Developer Documentation, http://dev.chromium.org/developers/design-documents/process-models
Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW 2007: Proceedings of the 16th international conference on World Wide Web (2007)
Johns, M., Winter, J.: RequestRodeo: Client side protection against session riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)
Jovanovic, N., Kirda, E., Kruegel, C.: Preventing Cross Site Request Forgery attacks. In: IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), Baltimore, MD, USA (August 2006)
Klein, A.: Forging HTTP request headers with Flash (July 2006), http://www.securityfocus.com/archive/1/441014
Linhart, C., Klein, A., Heled, R., Orrin, S.: HTTP request smuggling. Technical report, Watchfire (2005)
Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against Cross-Site Request Forgery. In: Workshop on Secure Execution of Untrusted Code (SecuCode), Chicago, IL, USA (November 2009)
Mao, Z., Li, N., Molloy, I.: Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection. LNCS. Springer, Heidelberg (2001)
OWASP. The ten most critical web application security vulnerabilities
OWASP. CSRF Guard (October 2008), http://www.owasp.org/index.php/CSRF_Guard
Raghvendra, V.: Session tracking on the web. Internetworking 3(1) (2000)
Samuel, J.: Request Policy 0.5.8, http://www.requestpolicy.com
van Kesteren, A.: Cross-origin resource sharing (March 2009), http://www.w3.org/TR/2009/WD-cors-20090317/
Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The Multi-Principal OS Construction of the Gazelle Web Browser. Microsoft Research Technical Report, MSR-TR-2009-16 (2009)
XPCOM - MDC (2008), https://developer.mozilla.org/en/XPCOM
Zalewski, M.: Browser Security Handbook (2008), http://code.google.com/p/browsersec/wiki/Main
Zeller, W., Felten, E.W.: Cross-Site Request Forgeries: Exploitation and prevention. Technical report (October 2008), http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W. (2010). CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-11747-3_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11746-6
Online ISBN: 978-3-642-11747-3
eBook Packages: Computer ScienceComputer Science (R0)