Download PDF

Engineering Secure Software and Systems, Date: 2010/02/03 - 2010/02/04, Location: Pisa, Italy

Publication date: 2010-02-01
Volume: 5965 Pages: 18 - 34
ISSN: 3642117465, 978-3-642-11746-6
Publisher: Springer Berlin / Heidelberg

Lecture Notes in Computer Science

Author:

De Ryck, Philippe
Desmet, Lieven ; Heyman, Thomas ; Piessens, Frank ; Joosen, Wouter ; Massacci, Fabio ; Wallach, Dan ; Zannone, Nicola

Keywords:

Cross-site Request Forgery, Web Application Security, Science & Technology, Technology, Computer Science, Information Systems, Computer Science, Software Engineering, Computer Science, Theory & Methods, Computer Science, Artificial Intelligence & Image Processing, 46 Information and computing sciences

Abstract:

Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security -- or the lack thereof -- making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic.