Title: CsFire: Transparent client-side mitigation of malicious cross-domain requests
Authors: De Ryck, Philippe
Desmet, Lieven
Heyman, Thomas
Piessens, Frank
Joosen, Wouter #
Issue Date: Feb-2010
Publisher: Springer Berlin / Heidelberg
Host Document: Lecture Notes in Computer Science vol:5965 pages:18-34
Conference: Engineering Secure Software and Systems edition:2 location:Pisa, Italy date:3-4 February 2010
Abstract: Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security -- or the lack thereof -- making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic.
ISBN: 978-3-642-11746-6
ISSN: 0302-9743
Publication status: published
KU Leuven publication type: IC
Appears in Collections:Informatics Section
# (joint) last author

Files in This Item:
File Description Status SizeFormat
paper.pdfFull paper Published 169KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.

© Web of science