Online citations, reference lists, and bibliographies.
← Back to Search

Robust Defenses For Cross-site Request Forgery

A. Barth, C. Jackson, J. Mitchell
Published 2008 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the honest web site as the attacker. The severity of a login CSRF vulnerability varies by site, but it can be as severe as a cross-site scripting vulnerability. We detail three major CSRF defense techniques and find shortcomings with each technique. Although the HTTP Referer header could provide an effective defense, our experimental observation of 283,945 advertisement impressions indicates that the header is widely blocked at the network layer due to privacy concerns. Our observations do suggest, however, that the header can be used today as a reliable CSRF defense over HTTPS, making it particularly well-suited for defending against login CSRF. For the long term, we propose that browsers implement the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns.
This paper references
Securing frame communication in browsers
A. Barth (2009)
Forcehttps: protecting high-security web sites from network attacks
C. Jackson (2008)
CAPTCHA: Using Hard AI Problems for Security
L. V. Ahn (2003)
Xploiting Google gadgets: Gmalware and beyond
Robert Hansen (2008)
Persistent client state: HTTP cookies
Yngve Pettersen . HTTP state management mechanism v 2 . IETF Internet Draft , February 2008 Ruby on rails OWASP CSRFGuard Project , 2008
Luis von Ahn
Session Fixation
Weilin Zhong (2008)
Session Fixation
Rogan Dawes (2008)
Prototype JavaScript framework
Preventing Cross Site Request Forgery Attacks
N. Jovanovic (2006)
Microsoft Internet Explorer " XMLHTTP " HTTP request injection
Secunia (2005)
HTML 5 Working Draft. http: //
Ian Hickson
Frame busting
Peter-Paul Koch
Ruby on Rails
Michael Bächle (2007)
An informal chat with Google, March 2008. google-site-links-gmail-hack-search-penalty
David Airey (2008)
The Referer header, intranets and privacy, February 2007. the-referer-header-intranets-and-privacy
Aaron Johnson (2007)
Protecting browser state from web privacy attacks
C. Jackson (2006)
Web Spoofing: An Internet Con Game
E. Felten (1997)
Session handling functions
Php Manual
The cross-site request forgery (CSRF/XSRF) FAQ
Robert Auger (2007)
Protecting browsers from DNS rebinding attacks
C. Jackson (2009)
Xploiting Google gadgets
Robert Hansen (2008)
Google Gmail e-mail hijack technique, September 2007. google-gmail-e-mail-hijack-technique
Petko D. Petkov (2007)
Defeating frame busting techniques, 2005.
Collin Jackson (2005)
Privacy tip #3: Block Referer headers in Firefox
Elliotte Rusty Harold (2006)
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure
S. Antonatos (2008)
A Face Is Exposed for AOL Searcher No
M. Barbaro (2006)
Sans top-20 security risks
Rohit Dhamankar (2007)
Hypertext Transfer Protocol - HTTP/1.0
Hu Cao (1996)
Cross-document messaging
Ian Hickson
Defeating frame busting techniques
Collin Jackson (2005)
Multiple browser cookie injection
Paul Johnston (2004)
Google's Gmail security failure leaves my business sabotaged
David Airey (2007)
Requestrodeo: Client Side Protection against Session Riding
F. Piessens (2006)
WSKE: Web Server Key Enabled Cookies
Chris Masone (2007)
A picture of search
G. Pass (2006)
Changes to inline gadgets
Dan Holevoet (2008)
Dynamic pharming attacks and locked same-origin policies for web browsers
C. Karlof (2007)
OpenID authentication 2
Brad Fitzpatrick (2007)
Google Gmail e-mail hijack technique google-gmail-e-mail-hijack-technique
D Petko (2007)
The Referer header, intranets and privacy the-referer-header-intranets-and-privacy
Aaron Johnson (2007)
Session Fixation, 2008. http: //
Weilin Zhong (2008)
Access control for cross-site requests
Anne Van
Exploiting the XMLHttpRequest object in IE—Referrer spoofing and a lot more
Amit Klein (2005)
HTTP State Management Mechanism. RFC 2109
David Kristol (1997)
XSS Attacks: Cross Site Scripting Exploits and Defense
Seth Fogie (2007)
Hypertext Transfer Protocol - HTTP/1.1
R. Fielding (1997)
An informal chat with Google google-site-links-gmail-hack-search-penalty
David Airey (2008)
Security for GWT Applications. http: // web/security-for-gwt-applications
HTTP State Management Mechanism
D. Kristol (1997)
Privacy tip #3: Block Referer headers in Firefox -block-referer-headers-in-firefox
Elliotte Rusty Harold (2006)
Multiple browser cookie injection vulnerabilities
Paul Johnston (2004) openid-authentication-2_0.html
Brad Fitzpatrick (2007)
Foundations of Security - What Every Programmer Needs to Know
Neil Daswani (2007)
Session Fixation, 2008. Fixation_Protection
Rogan Dawes (2008)
Why phishing works
Rachna Dhamija (2006)

This paper is referenced by
WebShield: Enabling Various Web Defense Techniques without Client Side Modifications
Z. Li (2011)
Securing home networks using Physically Unclonable Functions
Sushmita Ruj (2012)
An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations
Alessandro Armando (2013)
Adapting Workflows Using Generic Schemas: Application to the Security of Business Processes
Ronan-Alexandre Cherrueau (2013)
An Empirical study of HTML5 Websockets and their Cross Browser behavior for Mixed Content and Untrusted Certificates
Achin Kulshrestha (2013)
Here Come The ⊕ Ninjas Thai
Duong (2011)
Mobile Security Knowledge Area Issue 1 . 0
Sascha Fahl (2019)
Click jacking Vulnerability Analysis and Providing Security against WEB Attacks Using White listing URL analyzer
Parameter Pollution Vulnerabilities in Web Applications
Marco embyte’Balduzzi (2011)
Deliverable D 1 . 1 Web-platform security guide : Security assessment of the Web ecosystem
P. D. Ryck (2013)
SmartNotes: Application of crowdsourcing to the detection of web threats
Mehrbod Sharifi (2011)
Client Side CSRF Defensive Tool
Rupali kombade (2012)
A Comprehensive Approach to Abusing Locality in Shared Web Hosting Servers
Seyed Ali Mirheidari (2013)
CEPTM: A Cross-Edge Model for Diverse Personalization Service and Topic Migration in MEC
H. Wu (2018)
A static backward taint data analysis method for detecting web application vulnerabilities
Xuexiong Yan (2017)
E-learning Platforms Security Issues and Vulnerability Analysis
Meghna Bhatia (2018)
Revisiting Security Vulnerabilities : Web Applications Perspective
Rohit Kumar (2013)
Security and Privacy of Smart Cities: A Survey, Research Issues and Challenges
M. Sookhak (2019)
Analyzing the Crossdomain Policies of Flash Applications
D. Jang (2011)
Software Security Vulnerabilities Seen As Feature Interactions
G. Jourdan (2009)
E. Athanasopoulos (2011)
Advanced Automated Web Application Vulnerability Analysis
S. Bárbara (2014)
Content-based isolation: rethinking isolation policy design on client systems
Alexander Moshchuk (2013)
Testing and Modeling Security Mechanisms in Web Applications
T. Mouelhi (2010)
Virtualisation-based security countermeasures in software runtime systems
F. Gadaleta (2013)
Succour to the Confused Deputy - Types for Capabilities
Radha Jagadeesan (2012)
Scriptless attacks: Stealing more pie without touching the sill
M. Heiderich (2014)
Web Session Security: Formal Verification, Client-Side Enforcement and Experimental Analysis
Wilayat Khan (2015)
Management Conflicts in E-Learning Environment: Vulnerabilities in E-Learning Environments
Tomas Martinez (2016)
Cross-Site Framing Attacks
Nethanel Gelernter (2015)
Language-Based Web Session Integrity
S. Calzavara (2020)
Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web
Tobias Lauinger (2017)
See more
Semantic Scholar Logo Some data provided by SemanticScholar