Robust defenses for cross-site request forgery

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Robust defenses for cross-site request forgery

Full text

Pdf (3.13 MB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 15th ACM conference on Computer and communications security table of contents

Alexandria, Virginia, USA

SESSION: Browser security table of contents

Pages 75-88

Year of Publication: 2008

ISBN:978-1-59593-810-7

Authors

Adam Barth	Stanford University, Stanford, CA, USA
Collin Jackson	Stanford University, Stanford, CA, USA
John C. Mitchell	Stanford University, Stanford, CA, USA

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 104, Downloads (12 Months): 624, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1455770.1455782 What is a DOI?

ABSTRACT

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the honest web site as the attacker. The severity of a login CSRF vulnerability varies by site, but it can be as severe as a cross-site scripting vulnerability. We detail three major CSRF defense techniques and find shortcomings with each technique. Although the HTTP Referer header could provide an effective defense, our experimental observation of 283,945 advertisement impressions indicates that the header is widely blocked at the network layer due to privacy concerns. Our observations do suggest, however, that the header can be used today as a reliable CSRF defense over HTTPS, making it particularly well-suited for defending against login CSRF. For the long term, we propose that browsers implement the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	David Airey. Google's Gmail security failure leaves my business sabotaged, December 2007. http://www.davidairey.co.uk/google-gmail-security-hijack/.
	2	Robert Auger. The cross-site request forgery (CSRF/XSRF) FAQ, 2007. http://www.cgisecurity.com/articles/csrf-faq.shtml.
	3	Michael Barbaro and Tom Zeller Jr. A face is exposed for AOL searcher no. 4417749. The New York Times, August 2006. http://www.nytimes.com/2006/08/09/technology/09aol.htm.
	4	Adam Barth, Collin Jackson, and John C. Mitchell. Securing frame communication in browsers. In In Proceedings of the 17th USENIX Security Symposium (USENIX Security 2008), July 2008.
	5	T. Berners-Lee , R. Fielding , H. Frystyk, Hypertext Transfer Protocol -- HTTP/1.0, RFC Editor, 1996
	6	Douglas Crockford. JSONRequest, 2006. http://json.org/JSONRequest.html.
	7	Neil Daswani , Christoph Kern , Anita Kesavan, Foundations of Security: What Every Programmer Needs to Know, Apress, Berkely, CA, 2007
	8	Rogan Dawes. Session Fixation, 2008. http://www.owasp.org/index.php/Session_Fixation_Protection.
	9	Rohit Dhamankar et al. Sans top-20 security risks, 2007. http://www.sans.org/top20/2007/.
	10	Rachna Dhamija , J. D. Tygar , Marti Hearst, Why phishing works, Proceedings of the SIGCHI conference on Human Factors in computing systems, April 22-27, 2006, Montréal, Québec, Canada [doi>10.1145/1124772.1124861]
	11	E. W. Felten, D. Balfanz, D. Dean, and D. S. Wallach. Web Spoofing: An Internet Con Game. In 20th National Information Systems Security Conference, October 1997.
	12	Brad Fitzpatrick, David Recordon, Dick Hardt, Johnny Bufu, Josh Hoyt, et al. OpenID authentication 2.0, December 2007. http://openid.net/specs/openid-authentication-2_0.html.
	13	Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, and Petko D. Petkov. XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress, 2007.
	14	Mozilla Foundation. Security advisory 2005-58, September 2005. http://www.mozilla.org/security/announce/2005/mfsa2005-58.html.
	15	Google. Security for GWT Applications. http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications.
	16	Robert Hansen and Tom Stracener. Xploiting Google gadgets: Gmalware and beyond, August 2008. Black Hat briefing.
	17	Elliotte Rusty Harold. Privacy tip #3: Block Referer headers in Firefox, October 2006. http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/.
	18	Mario Heiderich. CSRFx, 2007. http://php-ids.org/category/csrfx/.
	19	Ian Hickson et al. Cross-document messaging. http://www.w3.org/html/wg/html5/#crossDocumentMessages.
	20	Ian Hickson et al. HTML 5 Working Draft. http://www.whatwg.org/specs/web-apps/current-work/.
	21	Dan Holevoet. Changes to inline gadgets, August 2008. http://igoogledeveloper.blogspot.com/2008/08/changes-to-inlined-gadgets.html.
	22	Collin Jackson. Defeating frame busting techniques, 2005. http://crypto.stanford.edu/framebust/.
	23	Collin Jackson , Adam Barth, Forcehttps: protecting high-security web sites from network attacks, Proceeding of the 17th international conference on World Wide Web, April 21-25, 2008, Beijing, China [doi>10.1145/1367497.1367569]
	24	Collin Jackson , Adam Barth , Andrew Bortz , Weidong Shao , Dan Boneh, Protecting browsers from dns rebinding attacks, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA [doi>10.1145/1315245.1315298]
	25	Collin Jackson , Andrew Bortz , Dan Boneh , John C. Mitchell, Protecting browser state from web privacy attacks, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland [doi>10.1145/1135777.1135884]
	26	Martin Johns and Justus Winter. RequestRodeo: Client side protection against session riding. In Proceedings of the OWASP Europe 2006 Conference, May 2006.
	27	Aaron Johnson. The Referer header, intranets and privacy, February 2007. http://cephas.net/blog/2007/02/06/the-referer-header-intranets-and-privacy/.
	28	Paul Johnston and Richard Moore. Multiple browser cookie injection vulnerabilities, September 2004. http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt.
	29	Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. Preventing cross site request forgery attacks. In IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006.
	30	Chris Karlof , Umesh Shankar , J. D. Tygar , David Wagner, Dynamic pharming attacks and locked same-origin policies for web browsers, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA [doi>10.1145/1315245.1315254]
	31	Amit Klein. Exploiting the XMLHttpRequest object in IE--Referrer spoofing and a lot morełdots, September 2005. http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml.
	32	Peter-Paul Koch. Frame busting. http://www.quirksmode.org/js/framebust.html.
	33	D. Kristol , L. Montulli, HTTP State Management Mechanism, RFC Editor, 2000
	34	D. Kristol , L. Montulli, HTTP State Management Mechanism, RFC Editor, 1997
	35	V. T. Lam , S. Antonatos , P. Akritidis , K. G. Anagnostakis, Puppetnets: misusing web browsers as a distributed attack infrastructure, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA [doi>10.1145/1180405.1180434]
	36	PHP Manual. Session handling functions. http://www.phpbuilder.com/manual/en/ref.session.php.
	37	Chris Masone, Kwang-Hyun Baek, and Sean Smith. WSKE: Web server key enabled cookies. In Proceedings of Usable Security 2007 (USEC '07).
	38	Microsoft. XDomainRequest object. http://msdn2.microsoft.com/en-us/library/cc288060(VS.85).aspx.
	39	Netscape. Persistent client state: HTTP cookies. http://wp.netscape.com/newsref/std/cookie_spec.html.
	40	Greg Pass , Abdur Chowdhury , Cayley Torgeson, A picture of search, Proceedings of the 1st international conference on Scalable information systems, p.1-es, May 30-June 01, 2006, Hong Kong [doi>10.1145/1146847.1146848]
	41	Petko D. Petkov. Google Gmail e-mail hijack technique, September 2007. http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/.
	42	Yngve Pettersen. HTTP state management mechanism v2. IETF Internet Draft, February 2008. http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-02.txt.
	43	phpBB. http://phpbb.com/.
	44	Prototype JavaScript framework. http://www.prototypejs.org/.
	45	Ruby on rails. http://www.rubyonrails.org/.
	46	Secunia. Microsoft Internet Explorer "XMLHTTP" HTTP request injection, September 2005. http://secunia.com/advisories/16942/.
	47	Eric Sheridan. OWASP CSRFGuard Project, 2008. http://www.owasp.org/index.php/CSRF_Guard.
	48	Trac. http://trac.edgewall.org/.
	49	Anne van Kesteren et al. Access control for cross-site requests. http://www.w3.org/TR/access-control/.
	50	Luis von Ahn, Nick Hopper Manuel Blum, and John Langford. CAPTCHA: Using hard AI problems for security. In Eurocrypt 2003.
	51	Weilin Zhong. Session Fixation, 2008. http://www.owasp.org/index.php/Session_Fixation.