Abstract
By attacking the browser’s requests, an attacker is able to trick the user’s browser into sending requests to a target application. Since these requests originate from the user’s browser, a vulnerable application is unable to distinguish them from legitimate requests, thus allowing the attacker to perform actions in the user’s name. The two most common ways of forging requests from the user’s browser are cross-site request forgery (CSRF), where requests are automatically sent by the browser, and UI redressing, where the user is tricked into interacting with a seemingly innocent page, while the interactions are actually sent to the target application. Real-life attacks on vulnerable applications have allowed attackers to transfer money from bank accounts, take over accounts through the password reset feature or secretly enable the webcam in the Flash player.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The Referer header was originally misspelled in the specification, and the header has kept this name until this day. In text, the correctly-spelled referrer is more commonly used.
References
Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF), pp. 247–262 (2012)
Barth, A.: The web origin concept. RFC 6454 (2011)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pp. 75–88 (2008)
Barth, A., Veditz, D., West, M.: Content security policy level 2. W3C Working Draft (2014)
Berjon, R., Faulkner, S., Leithead, T., Navara, E.D., O’Connor, E., Pfeiffer, S., Hickson, I.: HTML 5.1 specification. W3C Working Draft (2014)
Burns, J.: Cross site reference forgery: An introduction to a common Web application weakness. https://www.isecpartners.com/media/11961/csrf_paper.pdf (2005)
Chen, E.Y., Bau, J., Reis, C., Barth, A., Jackson, C.: App isolation: get the security of multiple browsers with just one. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 227–238 (2011)
Czeskis, A., Moshchuk, A., Kohno, T., Wang, H.J.: Lightweight server support for browser-based CSRF protection. In: Proceedings of the 22nd International Conference on World Wide Web (WWW), pp. 273–284 (2013)
De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent client-side mitigation of malicious cross-domain requests. In: Proceedings of the 2nd International Symposium on Engineering Secure Software and Systems (ESSoS), pp. 18–34 (2010)
De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against csrf attacks. In: Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS), pp. 100–116 (2011)
Facebook: Facebook login. http://developers.facebook.com/docs/facebook-login/ (2013)
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol—HTTP/1.1. RFC 2616 (1999)
Fung, B.S., Lee, P.P.: A privacy-preserving defense mechanism against request forgery attacks. In: Proceedings of the 10th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 45–52 (2011)
Hepper, D.: Gmail CSRF vulnerability explained. http://daniel.hepper.net/blog/2008/11/gmail-csrf-vulnerability-explained/ (2008)
Huang, L.S., Jackson, C.: Clickjacking attacks unresolved. URLURL (2011)
Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Proceedings of the 21st USENIX Security Symposium, pp. 22–22 (2012)
Johns, M., Winter, J.: Requestrodeo: Client side protection against session riding. In: Proceedings of the OWASP AppSec Europe 2006 Conference (AppSecEU), pp. 5–17 (2006)
Kovacs, E.: CSRF Vulnerability in eBay allows hackers to hijack user accounts. http://news.softpedia.com/news/CSRF-Vulnerability-in-eBay-Allows-Hackers-to-Hijack-URL (2013)
Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: Proceedings of the 6th USENIX Workshop on Offensive technologies (WOOT), pp. 53–63 (2012)
Lekies, S., Tighzert, W., Johns, M.: Towards stateless, client-side driven cross-site request forgery protection for Web applications. In: Proceedings of the 7th conference on Sicherheit, Schutz und Zuverlässigkeit (Sicherheit), pp. 111–121 (2012)
Mahemoff, M.: Explaining the dont click clickjacking tweetbomb. http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb/ (2009)
Maone, G.: NoScript—JavaScript/Java/Flash blocker for a safer Firefox experience! http://noscript.net/ (2013)
Maone, G.: NoScript Application Boundaries Enforcer (ABE). http://noscript.net/abe/ (2013)
Maone, G., Huang, D.L.S., Gondrom, T., Hill, B.: User interface safety directives for content security policy. W3C Last Call Working Draft (2014)
Martin, B., Brown, M., Paller, A., Kirby, D.: Cwe/sans top 25 most dangerous programming errors. http://cwe.mitre.org/top25/ (2011)
Nikiforakis, N., Van Acker, S., Piessens, F., Joosen, W.: Exploring the ecosystem of referrer-anonymizing services. In: Proceedings of the 12th Privacy Enhancing Technologies Symposium (PETS), pp. 259–278 (2012)
Pelizzi, R., Sekar, R.: A server-and browser-transparent csrf defense for web 2.0 applications. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pp. 257–266 (2011)
Privoxy. Online at http://www.privoxy.org (2013)
RefControl. https://addons.mozilla.org/en-us/firefox/addon/refcontrol/ (2013)
Ross, D.: Entry point regulation for web apps. URL (2014)
Ross, D., Gondrom, T.: HTTP header field X-frame-options. RFC Informational (RFC 7034) (2013)
Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. Web 2.0 Security and Privacy (W2SP) (2010)
Rydstedt, G., Gourdin, B., Bursztein, E., Boneh, D.: Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks. In: Proceedings of the 4th USENIX Workshop on Offensive technologies (WOOT), pp. 1–8 (2010)
Samuel, J., Zhang, B.: Requestpolicy: Increasing web browsing privacy through control of cross-site requests. In: Proceedings of the 9th Privacy Enhancing Technologies Symposium (PETS), pp. 128–142 (2009)
Stone, P.: Next generation clickjacking. BlackHat Europe (2010)
van Kesteren, A.: Cross-origin resource sharing. W3C Recommendation (2014)
Wichers, D.: Owasp top 10. URL (2013)
Zalewski, M.: Arbitrary page mashups (ui redressing). URL (2010)
Zeller, W., Felten, E.W.: Cross-site request forgeries: exploitation and prevention. Tech. rep., Princeton University (2008)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns
About this chapter
Cite this chapter
Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Attacks on the Browser’s Requests. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-12226-7_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12225-0
Online ISBN: 978-3-319-12226-7
eBook Packages: Computer ScienceComputer Science (R0)