A server- and browser-transparent CSRF defense for web 2.0 applications

Asia-Pacific Computer Systems Architecture Conference Pub Date : 2011-12-05 DOI:10.1145/2076732.2076768

Riccardo Pelizzi, R. Sekar

{"title":"A server- and browser-transparent CSRF defense for web 2.0 applications","authors":"Riccardo Pelizzi, R. Sekar","doi":"10.1145/2076732.2076768","DOIUrl":null,"url":null,"abstract":"Cross-Site Request Forgery (CSRF) vulnerabilities constitute one of the most serious web application vulnerabilities, ranking fourth in the CWE/SANS Top 25 Most Dangerous Software Errors. By exploiting this vulnerability, an attacker can submit requests to a web application using a victim user's credentials. A successful attack can lead to compromised accounts, stolen bank funds or information leaks. This paper presents a new server-side defense against CSRF attacks. Our solution, called jCSRF, operates as a serverside proxy, and does not require any server or browser modifications. Thus, it can be deployed by a site administrator without requiring access to web application source code, or the need to understand it. Moreover, protection is achieved without requiring web-site users to make use of a specific browser or a browser plug-in. Unlike previous server-side solutions, jCSRF addresses two key aspects of Web 2.0: extensive use of client-side scripts that can create requests to URLs that do not appear in the HTML page returned to the client; and services provided by two or more collaborating web sites that need to make cross-domain requests.","PeriodicalId":397003,"journal":{"name":"Asia-Pacific Computer Systems Architecture Conference","volume":"20 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Asia-Pacific Computer Systems Architecture Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2076732.2076768","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 13

Abstract

Cross-Site Request Forgery (CSRF) vulnerabilities constitute one of the most serious web application vulnerabilities, ranking fourth in the CWE/SANS Top 25 Most Dangerous Software Errors. By exploiting this vulnerability, an attacker can submit requests to a web application using a victim user's credentials. A successful attack can lead to compromised accounts, stolen bank funds or information leaks. This paper presents a new server-side defense against CSRF attacks. Our solution, called jCSRF, operates as a serverside proxy, and does not require any server or browser modifications. Thus, it can be deployed by a site administrator without requiring access to web application source code, or the need to understand it. Moreover, protection is achieved without requiring web-site users to make use of a specific browser or a browser plug-in. Unlike previous server-side solutions, jCSRF addresses two key aspects of Web 2.0: extensive use of client-side scripts that can create requests to URLs that do not appear in the HTML page returned to the client; and services provided by two or more collaborating web sites that need to make cross-domain requests.

查看原文本刊更多论文

针对web 2.0应用程序的服务器和浏览器透明的CSRF防御

跨站点请求伪造(CSRF)漏洞是最严重的web应用程序漏洞之一，在CWE/SANS最危险的25个软件错误中排名第四。通过利用此漏洞，攻击者可以使用受害者用户的凭据向web应用程序提交请求。成功的攻击可能导致账户受损、银行资金被盗或信息泄露。本文提出了一种新的服务器端防御CSRF攻击的方法。我们的解决方案称为jCSRF，它作为服务器端代理运行，不需要修改任何服务器或浏览器。因此，它可以由站点管理员部署，而不需要访问web应用程序源代码，也不需要理解它。此外，不需要网站用户使用特定的浏览器或浏览器插件就可以实现保护。与以前的服务器端解决方案不同，jCSRF解决了Web 2.0的两个关键方面:广泛使用客户端脚本，这些脚本可以创建对未出现在返回给客户端的HTML页面中的url的请求;以及由两个或多个协作网站提供的服务，这些网站需要进行跨域请求。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Asia-Pacific Computer Systems Architecture Conference

自引率

0.00%

发文量