Online citations, reference lists, and bibliographies.
← Back to Search

CsFire: Transparent Client-Side Mitigation Of Malicious Cross-Domain Requests

P. D. Ryck, L. Desmet, T. Heyman, F. Piessens, W. Joosen
Published 2010 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security – or the lack thereof – making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic.
This paper references
Request Policy 0
J Samuel
CSR OWASP. (2008)
The Multi-Principal OS Construction of the Gazelle Web Browser
H. Wang (2009)
Forging HTTP request headers with Flash
A. Klein (2006)
Augmented BNF for Syntax Specifications: ABNF
D. Crocker (2008)
Take advantage of ASP.NET built-in features to fend off web attacks
D Esposito (2005)
Adobe Flash Player 9 security
Adobe (2008)
Cross-origin resource sharing
A. van Kesteren (2009)
and T
R. Fielding (1999)
The ten most critical web application security vulnerabilities. 16. OWASP. CSRF Guard
Owasp (2008)
Browser protection against cross-site request forgery
Wim Maes (2009)
Robust defenses for cross-site request forgery
A. Barth (2008)
Cross-Site Request Forgeries : Exploitation and Prevention
W. Zeller (2008)
Forging HTTP request headers with Flash. http://www.securityfocus. com/archive/1/441014
A Klein (2006)
Requestrodeo: Client Side Protection against Session Riding
F. Piessens (2006)
Browser Security Handbook
M Zalewski (2008)
Chromium Developer Documentation design-documents/process-models
Take advantage of ASP.NET built-in features to fend off web attacks.
D. Esposito (2005)
Design Patterns
Cyril S. Ku (2008)
Preventing Cross Site Request Forgery Attacks
N. Jovanovic (2006)
Hypertext Transfer Protocol (HTTP)
D. Martakos (1996)
Defeating script injection attacks with browser-enforced embedded policies
T. Jim (2007)
Cross-origin resource sharing
A Van Kesteren (2009) browsersec/wiki/Main
M. Zalewski (2008)
HTTP request smuggling
C Linhart (2005)
Design Patterns
Christopher G. Lasater (2006)
Session tracking on the web
V. Raghvendra (2000)
and W
W. Maes (2009)
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Ziqing Mao (2009)

This paper is referenced by
Provably Sound Browser-Based Enforcement of Web Session Integrity
M. Bugliesi (2014)
Detection, Avoidance, and Attack Pattern Mechanisms in Modern Web Application Vulnerabilities: Present and Future Challenges
S. Gupta (2017)
Automatic and Precise Client-Side Protection against CSRF Attacks
Philippe De Ryck (2011)
Quite a mess in my cookie jar!: leveraging machine learning to protect web authentication
S. Calzavara (2014)
Lightweight server support for browser-based CSRF protection
Alexei Czeskis (2013)
Gibraltar: Exposing Hardware Devices to Web Pages Using AJAX
Kaisen Lin (2012)
CORP: A Browser Policy to Mitigate Web Infiltration Attacks
Krishna Chaitanya Telikicherla (2014)
Client-Side Detection of Cross-Site Request Forgery Attacks
Hossain Shahriar (2010)
SessionShield: Lightweight Protection against Session Hijacking
N. Nikiforakis (2011)
Enforcing Session Integrity in the World "Wild" Web
Mauro Tempesta (2015)
Towards revealing JavaScript program intents using abstract interpretation
G. Blanc (2010)
A Study of the Effectiveness of CSRF Guard
Boyan Chen (2011)
Surviving the Web: A Journey into Web Session Security
S. Calzavara (2018)
Reactive non-interference for the browser: extended version
Nataliia Bielova (2011)
Deliverable D 1 . 1 Web-platform security guide : Security assessment of the Web ecosystem
P. D. Ryck (2013)
CsFire: browser-enforced mitigation against CSRF
L. Desmet (2010)
A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities
Bastian Braun (2012)
Protection, usability and improvements in reflected XSS filters
Riccardo Pelizzi (2012)
Cross-domain vulnerabilities over social networks
C. Bernard (2012)
Prevention Against CSRF Attack using Client Server Mutual Authentication Technique
Sheeghrata Agnihotri (2019)
CookiExt: Patching the browser against session hijacking attacks
M. Bugliesi (2015)
XSS-immune: a Google chrome extension-based XSS defensive framework for contemporary platforms of web applications
S. Gupta (2016)
Web-based Secure Application Control
Bastian Braun (2015)
DEMACRO: Defense against Malicious Cross-Domain Requests
Sebastian Lekies (2012)
A Privacy-Preserving Defense Mechanism against Request Forgery Attacks
Ben S. Y. Fung (2011)
A server- and browser-transparent CSRF defense for web 2.0 applications
Riccardo Pelizzi (2011)
Improving session security in web applications
Bram Bonné (2011)
MySecPol: A Client-Side Policy Language for Safe and Secure Browsing
Amit Pathania (2018)
Information Security Controls against Cross-Site Request Forgery Attacks on Software Applications of Automated Systems
A. Barabanov (2018)
Large-Scale Analysis & Detection of Authentication Cross-Site Request Forgeries
Avinash Sudhodanan (2017)
WebJail: least-privilege integration of third-party components in web mashups
S. Acker (2011)
Surviving the Web
S. Calzavara (2017)
See more
Semantic Scholar Logo Some data provided by SemanticScholar