Skip to main content
SpringerLink
Log in
Book cover

Primer on Client-Side Web Security pp 57–68Cite as

Attacks on the Browser’s Requests

  • Chapter
  • First Online:

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

Abstract

By attacking the browser’s requests, an attacker is able to trick the user’s browser into sending requests to a target application. Since these requests originate from the user’s browser, a vulnerable application is unable to distinguish them from legitimate requests, thus allowing the attacker to perform actions in the user’s name. The two most common ways of forging requests from the user’s browser are cross-site request forgery (CSRF), where requests are automatically sent by the browser, and UI redressing, where the user is tricked into interacting with a seemingly innocent page, while the interactions are actually sent to the target application. Real-life attacks on vulnerable applications have allowed attackers to transfer money from bank accounts, take over accounts through the password reset feature or secretly enable the webcam in the Flash player.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The Referer header was originally misspelled in the specification, and the header has kept this name until this day. In text, the correctly-spelled referrer is more commonly used.

References

  1. Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF), pp. 247–262 (2012)

    Google Scholar 

  2. Barth, A.: The web origin concept. RFC 6454 (2011)

    Google Scholar 

  3. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pp. 75–88 (2008)

    Google Scholar 

  4. Barth, A., Veditz, D., West, M.: Content security policy level 2. W3C Working Draft (2014)

    Google Scholar 

  5. Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S., Hickson, I.: HTML 5.1 specification. W3C Working Draft (2014)

    Google Scholar 

  6. Burns, J.: Cross site reference forgery: An introduction to a common Web application weakness. https://www.isecpartners.com/media/11961/csrf_paper.pdf (2005)

  7. Chen, E.Y., Bau, J., Reis, C., Barth, A., Jackson, C.: App isolation: get the security of multiple browsers with just one. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 227–238 (2011)

    Google Scholar 

  8. Czeskis, A., Moshchuk, A., Kohno, T., Wang, H.J.: Lightweight server support for browser-based CSRF protection. In: Proceedings of the 22nd International Conference on World Wide Web (WWW), pp. 273–284 (2013)

    Google Scholar 

  9. De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent client-side mitigation of malicious cross-domain requests. In: Proceedings of the 2nd International Symposium on Engineering Secure Software and Systems (ESSoS), pp. 18–34 (2010)

    Google Scholar 

  10. De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against csrf attacks. In: Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS), pp. 100–116 (2011)

    Google Scholar 

  11. Facebook: Facebook login. http://developers.facebook.com/docs/facebook-login/ (2013)

  12. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol—HTTP/1.1. RFC 2616 (1999)

    Google Scholar 

  13. Fung, B.S., Lee, P.P.: A privacy-preserving defense mechanism against request forgery attacks. In: Proceedings of the 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 45–52 (2011)

    Google Scholar 

  14. Hepper, D.: Gmail CSRF vulnerability explained. http://daniel.hepper.net/blog/2008/11/gmail-csrf-vulnerability-explained/ (2008)

  15. Huang, L.S., Jackson, C.: Clickjacking attacks unresolved. URLURL (2011)

    Google Scholar 

  16. Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Proceedings of the 21st USENIX Security Symposium, pp. 22–22 (2012)

    Google Scholar 

  17. Johns, M., Winter, J.: Requestrodeo: Client side protection against session riding. In: Proceedings of the OWASP AppSec Europe 2006 Conference (AppSecEU), pp. 5–17 (2006)

    Google Scholar 

  18. Kovacs, E.: CSRF Vulnerability in eBay allows hackers to hijack user accounts. http://news.softpedia.com/news/CSRF-Vulnerability-in-eBay-Allows-Hackers-to-Hijack-URL (2013)

  19. Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: Proceedings of the 6th USENIX Workshop on Offensive technologies (WOOT), pp. 53–63 (2012)

    Google Scholar 

  20. Lekies, S., Tighzert, W., Johns, M.: Towards stateless, client-side driven cross-site request forgery protection for Web applications. In: Proceedings of the 7th conference on Sicherheit, Schutz und Zuverlässigkeit (Sicherheit), pp. 111–121 (2012)

    Google Scholar 

  21. Mahemoff, M.: Explaining the dont click clickjacking tweetbomb. http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb/ (2009)

  22. Maone, G.: NoScript—JavaScript/Java/Flash blocker for a safer Firefox experience! http://noscript.net/ (2013)

  23. Maone, G.: NoScript Application Boundaries Enforcer (ABE). http://noscript.net/abe/ (2013)

  24. Maone, G., Huang, D.L.S., Gondrom, T., Hill, B.: User interface safety directives for content security policy. W3C Last Call Working Draft (2014)

    Google Scholar 

  25. Martin, B., Brown, M., Paller, A., Kirby, D.: Cwe/sans top 25 most dangerous programming errors. http://cwe.mitre.org/top25/ (2011)

  26. Nikiforakis, N., Van Acker, S., Piessens, F., Joosen, W.: Exploring the ecosystem of referrer-anonymizing services. In: Proceedings of the 12th Privacy Enhancing Technologies Symposium (PETS), pp. 259–278 (2012)

    Google Scholar 

  27. Pelizzi, R., Sekar, R.: A server-and browser-transparent csrf defense for web 2.0 applications. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pp. 257–266 (2011)

    Google Scholar 

  28. Privoxy. Online at http://www.privoxy.org (2013)

  29. RefControl. https://addons.mozilla.org/en-us/firefox/addon/refcontrol/ (2013)

  30. Ross, D.: Entry point regulation for web apps. URL (2014)

    Google Scholar 

  31. Ross, D., Gondrom, T.: HTTP header field X-frame-options. RFC Informational (RFC 7034) (2013)

    Google Scholar 

  32. Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. Web 2.0 Security and Privacy (W2SP) (2010)

    Google Scholar 

  33. Rydstedt, G., Gourdin, B., Bursztein, E., Boneh, D.: Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks. In: Proceedings of the 4th USENIX Workshop on Offensive technologies (WOOT), pp. 1–8 (2010)

    Google Scholar 

  34. Samuel, J., Zhang, B.: Requestpolicy: Increasing web browsing privacy through control of cross-site requests. In: Proceedings of the 9th Privacy Enhancing Technologies Symposium (PETS), pp. 128–142 (2009)

    Google Scholar 

  35. Stone, P.: Next generation clickjacking. BlackHat Europe (2010)

    Google Scholar 

  36. van Kesteren, A.: Cross-origin resource sharing. W3C Recommendation (2014)

    Google Scholar 

  37. Wichers, D.: Owasp top 10. URL (2013)

    Google Scholar 

  38. Zalewski, M.: Arbitrary page mashups (ui redressing). URL (2010)

    Google Scholar 

  39. Zeller, W., Felten, E.W.: Cross-site request forgeries: exploitation and prevention. Tech. rep., Princeton University (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. iMinds-DistriNet, KU Leuven, Heverlee, Belgium

    Philippe De Ryck, Lieven Desmet & Frank Piessens

  2. SAP Research, Karlsruhe, Germany

    Martin Johns

Authors
  1. Philippe De Ryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lieven Desmet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Philippe De Ryck .

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns

About this chapter

Cite this chapter

Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Attacks on the Browser’s Requests. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12226-7_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12225-0

  • Online ISBN: 978-3-319-12226-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation