Online citations, reference lists, and bibliographies.
← Back to Search

CsFire: Transparent Client-Side Mitigation Of Malicious Cross-Domain Requests

P. D. Ryck, L. Desmet, T. Heyman, F. Piessens, W. Joosen
Published 2010 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security – or the lack thereof – making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic.
This paper references
Request Policy 0
J Samuel
Guard
CSR OWASP. (2008)
The Multi-Principal OS Construction of the Gazelle Web Browser
H. Wang (2009)
Forging HTTP request headers with Flash
A. Klein (2006)
10.17487/RFC5234
Augmented BNF for Syntax Specifications: ABNF
D. Crocker (2008)
Take advantage of ASP.NET built-in features to fend off web attacks
D Esposito (2005)
Adobe Flash Player 9 security
Adobe (2008)
Cross-origin resource sharing
A. van Kesteren (2009)
and T
R. Fielding (1999)
The ten most critical web application security vulnerabilities. 16. OWASP. CSRF Guard
Owasp (2008)
10.1145/1655077.1655081
Browser protection against cross-site request forgery
Wim Maes (2009)
10.1145/1455770.1455782
Robust defenses for cross-site request forgery
A. Barth (2008)
Cross-Site Request Forgeries : Exploitation and Prevention
W. Zeller (2008)
Forging HTTP request headers with Flash. http://www.securityfocus. com/archive/1/441014
A Klein (2006)
Requestrodeo: Client Side Protection against Session Riding
F. Piessens (2006)
Browser Security Handbook
M Zalewski (2008)
Chromium Developer Documentation http://dev.chromium.org/developers/ design-documents/process-models
Take advantage of ASP.NET built-in features to fend off web attacks. http://msdn.microsoft.com/en-us/library/ms972969.aspx
D. Esposito (2005)
10.1002/9780470050118.ecse109
Design Patterns
Cyril S. Ku (2008)
10.1109/SECCOMW.2006.359531
Preventing Cross Site Request Forgery Attacks
N. Jovanovic (2006)
Hypertext Transfer Protocol (HTTP)
D. Martakos (1996)
10.1145/1242572.1242654
Defeating script injection attacks with browser-enforced embedded policies
T. Jim (2007)
Cross-origin resource sharing
A Van Kesteren (2009)
http://code.google.com/p/ browsersec/wiki/Main
M. Zalewski (2008)
HTTP request smuggling
C Linhart (2005)
10.1007/978-3-540-78618-4_5
Design Patterns
Christopher G. Lasater (2006)
Session tracking on the web
V. Raghvendra (2000)
and W
W. Maes (2009)
10.1007/978-3-642-03549-4_15
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Ziqing Mao (2009)



This paper is referenced by
10.1109/CSF.2014.33
Provably Sound Browser-Based Enforcement of Web Session Integrity
M. Bugliesi (2014)
10.4018/IJCAC.2017070101
Detection, Avoidance, and Attack Pattern Mechanisms in Modern Web Application Vulnerabilities: Present and Future Challenges
S. Gupta (2017)
10.1007/978-3-642-23822-2_6
Automatic and Precise Client-Side Protection against CSRF Attacks
Philippe De Ryck (2011)
10.1145/2566486.2568047
Quite a mess in my cookie jar!: leveraging machine learning to protect web authentication
S. Calzavara (2014)
10.1145/2488388.2488413
Lightweight server support for browser-based CSRF protection
Alexei Czeskis (2013)
Gibraltar: Exposing Hardware Devices to Web Pages Using AJAX
Kaisen Lin (2012)
10.1007/978-3-319-13841-1_16
CORP: A Browser Policy to Mitigate Web Infiltration Attacks
Krishna Chaitanya Telikicherla (2014)
10.1109/ISSRE.2010.12
Client-Side Detection of Cross-Site Request Forgery Attacks
Hossain Shahriar (2010)
10.1007/978-3-642-19125-1_7
SessionShield: Lightweight Protection against Session Hijacking
N. Nikiforakis (2011)
Enforcing Session Integrity in the World "Wild" Web
Mauro Tempesta (2015)
10.1145/1930286.1930298
Towards revealing JavaScript program intents using abstract interpretation
G. Blanc (2010)
10.1109/PASSAT/SocialCom.2011.58
A Study of the Effectiveness of CSRF Guard
Boyan Chen (2011)
10.1145/3184558.3186232
Surviving the Web: A Journey into Web Session Security
S. Calzavara (2018)
Reactive non-interference for the browser: extended version
Nataliia Bielova (2011)
Deliverable D 1 . 1 Web-platform security guide : Security assessment of the Web ecosystem
P. D. Ryck (2013)
CsFire: browser-enforced mitigation against CSRF
L. Desmet (2010)
10.1007/978-3-642-32287-7_2
A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities
Bastian Braun (2012)
10.1145/2414456.2414458
Protection, usability and improvements in reflected XSS filters
Riccardo Pelizzi (2012)
10.1109/CASoN.2012.6412370
Cross-domain vulnerabilities over social networks
C. Bernard (2012)
Prevention Against CSRF Attack using Client Server Mutual Authentication Technique
Sheeghrata Agnihotri (2019)
10.3233/JCS-150529
CookiExt: Patching the browser against session hijacking attacks
M. Bugliesi (2015)
10.1002/sec.1579
XSS-immune: a Google chrome extension-based XSS defensive framework for contemporary platforms of web applications
S. Gupta (2016)
Web-based Secure Application Control
Bastian Braun (2015)
10.1007/978-3-642-33338-5_13
DEMACRO: Defense against Malicious Cross-Domain Requests
Sebastian Lekies (2012)
10.1109/TrustCom.2011.10
A Privacy-Preserving Defense Mechanism against Request Forgery Attacks
Ben S. Y. Fung (2011)
10.1145/2076732.2076768
A server- and browser-transparent CSRF defense for web 2.0 applications
Riccardo Pelizzi (2011)
Improving session security in web applications
Bram Bonné (2011)
10.1007/978-3-030-05171-6_22
MySecPol: A Client-Side Policy Language for Safe and Secure Browsing
Amit Pathania (2018)
10.1088/1742-6596/1015/4/042034
Information Security Controls against Cross-Site Request Forgery Attacks on Software Applications of Automated Systems
A. Barabanov (2018)
10.1109/EuroSP.2017.45
Large-Scale Analysis & Detection of Authentication Cross-Site Request Forgeries
Avinash Sudhodanan (2017)
10.1145/2076732.2076775
WebJail: least-privilege integration of third-party components in web mashups
S. Acker (2011)
10.1145/3038923
Surviving the Web
S. Calzavara (2017)
See more
Semantic Scholar Logo Some data provided by SemanticScholar