Online citations, reference lists, and bibliographies.
← Back to Search

Robust Defenses For Cross-site Request Forgery

A. Barth, C. Jackson, J. Mitchell
Published 2008 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the honest web site as the attacker. The severity of a login CSRF vulnerability varies by site, but it can be as severe as a cross-site scripting vulnerability. We detail three major CSRF defense techniques and find shortcomings with each technique. Although the HTTP Referer header could provide an effective defense, our experimental observation of 283,945 advertisement impressions indicates that the header is widely blocked at the network layer due to privacy concerns. Our observations do suggest, however, that the header can be used today as a reliable CSRF defense over HTTPS, making it particularly well-suited for defending against login CSRF. For the long term, we propose that browsers implement the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns.
This paper references
10.1145/1516046.1516066
Securing frame communication in browsers
A. Barth (2009)
10.1145/1367497.1367569
Forcehttps: protecting high-security web sites from network attacks
C. Jackson (2008)
10.1007/3-540-39200-9_18
CAPTCHA: Using Hard AI Problems for Security
L. V. Ahn (2003)
Xploiting Google gadgets: Gmalware and beyond
Robert Hansen (2008)
Persistent client state: HTTP cookies
Netscape
Yngve Pettersen . HTTP state management mechanism v 2 . IETF Internet Draft , February 2008 Ruby on rails OWASP CSRFGuard Project , 2008
Luis von Ahn
Session Fixation
Weilin Zhong (2008)
Session Fixation
Rogan Dawes (2008)
Prototype JavaScript framework
10.1109/SECCOMW.2006.359531
Preventing Cross Site Request Forgery Attacks
N. Jovanovic (2006)
Microsoft Internet Explorer " XMLHTTP " HTTP request injection
Secunia (2005)
HTML 5 Working Draft. http: //www.whatwg.org/specs/web-apps/current-work
Ian Hickson
Frame busting
Peter-Paul Koch
10.1109/MS.2007.176
Ruby on Rails
Michael Bächle (2007)
An informal chat with Google, March 2008. http://www.davidairey.com/ google-site-links-gmail-hack-search-penalty
David Airey (2008)
The Referer header, intranets and privacy, February 2007. http://cephas.net/blog/2007/02/06/ the-referer-header-intranets-and-privacy
Aaron Johnson (2007)
10.1145/1135777.1135884
Protecting browser state from web privacy attacks
C. Jackson (2006)
Web Spoofing: An Internet Con Game
E. Felten (1997)
Session handling functions
Php Manual
The cross-site request forgery (CSRF/XSRF) FAQ
Robert Auger (2007)
10.1145/1462148.1462150
Protecting browsers from DNS rebinding attacks
C. Jackson (2009)
Xploiting Google gadgets
Robert Hansen (2008)
Google Gmail e-mail hijack technique, September 2007. http://www.gnucitizen.org/blog/ google-gmail-e-mail-hijack-technique
Petko D. Petkov (2007)
Defeating frame busting techniques, 2005. http://crypto.stanford.edu/framebust
Collin Jackson (2005)
Privacy tip #3: Block Referer headers in Firefox
Elliotte Rusty Harold (2006)
10.1145/1455518.1455524
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure
S. Antonatos (2008)
A Face Is Exposed for AOL Searcher No
M. Barbaro (2006)
Sans top-20 security risks
Rohit Dhamankar (2007)
10.17487/RFC1945
Hypertext Transfer Protocol - HTTP/1.0
Hu Cao (1996)
Cross-document messaging
Ian Hickson
Defeating frame busting techniques
Collin Jackson (2005)
Multiple browser cookie injection
Paul Johnston (2004)
Google's Gmail security failure leaves my business sabotaged
David Airey (2007)
Requestrodeo: Client Side Protection against Session Riding
F. Piessens (2006)
10.1007/978-3-540-77366-5_28
WSKE: Web Server Key Enabled Cookies
Chris Masone (2007)
10.1145/1146847.1146848
A picture of search
G. Pass (2006)
Changes to inline gadgets
Dan Holevoet (2008)
10.1145/1315245.1315254
Dynamic pharming attacks and locked same-origin policies for web browsers
C. Karlof (2007)
OpenID authentication 2
Brad Fitzpatrick (2007)
Google Gmail e-mail hijack technique http://www.gnucitizen.org/blog/ google-gmail-e-mail-hijack-technique
D Petko (2007)
The Referer header, intranets and privacy http://cephas.net/blog/2007/02/06/ the-referer-header-intranets-and-privacy
Aaron Johnson (2007)
Session Fixation, 2008. http: //www.owasp.org/index.php/Session_Fixation
Weilin Zhong (2008)
Access control for cross-site requests
Anne Van
Exploiting the XMLHttpRequest object in IE—Referrer spoofing and a lot more
Amit Klein (2005)
HTTP State Management Mechanism. RFC 2109
David Kristol (1997)
XSS Attacks: Cross Site Scripting Exploits and Defense
Seth Fogie (2007)
10.17487/RFC2068
Hypertext Transfer Protocol - HTTP/1.1
R. Fielding (1997)
An informal chat with Google http://www.davidairey.com/ google-site-links-gmail-hack-search-penalty
David Airey (2008)
Security for GWT Applications. http: //groups.google.com/group/Google-Web-Toolkit/ web/security-for-gwt-applications
Google
10.17487/RFC2109
HTTP State Management Mechanism
D. Kristol (1997)
Privacy tip #3: Block Referer headers in Firefox http://cafe.elharo.com/privacy/privacy-tip-3 -block-referer-headers-in-firefox
Elliotte Rusty Harold (2006)
Multiple browser cookie injection vulnerabilities
Paul Johnston (2004)
http://openid.net/specs/ openid-authentication-2_0.html
Brad Fitzpatrick (2007)
Foundations of Security - What Every Programmer Needs to Know
Neil Daswani (2007)
Session Fixation, 2008. http://www.owasp.org/index.php/Session_ Fixation_Protection
Rogan Dawes (2008)
10.1145/1124772.1124861
Why phishing works
Rachna Dhamija (2006)



This paper is referenced by
WebShield: Enabling Various Web Defense Techniques without Client Side Modifications
Z. Li (2011)
10.1109/ICUFN.2012.6261713
Securing home networks using Physically Unclonable Functions
Sushmita Ruj (2012)
10.1016/j.cose.2012.08.007
An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations
Alessandro Armando (2013)
10.1109/CloudCom.2013.75
Adapting Workflows Using Generic Schemas: Application to the Security of Business Processes
Ronan-Alexandre Cherrueau (2013)
10.5120/14119-2221
An Empirical study of HTML5 Websockets and their Cross Browser behavior for Mixed Content and Untrusted Certificates
Achin Kulshrestha (2013)
Here Come The ⊕ Ninjas Thai
Duong (2011)
Mobile Security Knowledge Area Issue 1 . 0
Sascha Fahl (2019)
Click jacking Vulnerability Analysis and Providing Security against WEB Attacks Using White listing URL analyzer
(2015)
Parameter Pollution Vulnerabilities in Web Applications
Marco embyte’Balduzzi (2011)
Deliverable D 1 . 1 Web-platform security guide : Security assessment of the Web ecosystem
P. D. Ryck (2013)
10.1109/ICSMC.2011.6083845
SmartNotes: Application of crowdsourcing to the detection of web threats
Mehrbod Sharifi (2011)
10.11591/IJINS.V1I3.707
Client Side CSRF Defensive Tool
Rupali kombade (2012)
10.1109/TrustCom.2013.200
A Comprehensive Approach to Abusing Locality in Shared Web Hosting Servers
Seyed Ali Mirheidari (2013)
10.1155/2018/8056195
CEPTM: A Cross-Edge Model for Diverse Personalization Service and Topic Migration in MEC
H. Wu (2018)
10.1109/ICCSN.2017.8230288
A static backward taint data analysis method for detecting web application vulnerabilities
Xuexiong Yan (2017)
10.1109/CCTES.2018.8674115
E-learning Platforms Security Issues and Vulnerability Analysis
Meghna Bhatia (2018)
Revisiting Security Vulnerabilities : Web Applications Perspective
Rohit Kumar (2013)
10.1109/COMST.2018.2867288
Security and Privacy of Smart Cities: A Survey, Research Issues and Challenges
M. Sookhak (2019)
Analyzing the Crossdomain Policies of Flash Applications
D. Jang (2011)
10.3233/978-1-60750-014-8-149
Software Security Vulnerabilities Seen As Feature Interactions
G. Jourdan (2009)
MODERN TECHNIQUES FOR THE DETECTION AND PREVENTION OF WEB2.0 ATTACKS
E. Athanasopoulos (2011)
Advanced Automated Web Application Vulnerability Analysis
S. Bárbara (2014)
10.1145/2508859.2516722
Content-based isolation: rethinking isolation policy design on client systems
Alexander Moshchuk (2013)
Testing and Modeling Security Mechanisms in Web Applications
T. Mouelhi (2010)
Virtualisation-based security countermeasures in software runtime systems
F. Gadaleta (2013)
10.1007/978-3-642-35182-2_6
Succour to the Confused Deputy - Types for Capabilities
Radha Jagadeesan (2012)
10.3233/JCS-130494
Scriptless attacks: Stealing more pie without touching the sill
M. Heiderich (2014)
Web Session Security: Formal Verification, Client-Side Enforcement and Experimental Analysis
Wilayat Khan (2015)
10.4018/978-1-5225-0245-6.CH017
Management Conflicts in E-Learning Environment: Vulnerabilities in E-Learning Environments
Tomas Martinez (2016)
10.1145/2818000.2818029
Cross-Site Framing Attacks
Nethanel Gelernter (2015)
10.1109/csf49147.2020.00016
Language-Based Web Session Integrity
S. Calzavara (2020)
10.14722/ndss.2017.23414
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web
Tobias Lauinger (2017)
See more
Semantic Scholar Logo Some data provided by SemanticScholar