Abstract
A common client-side countermeasure against Cross Site Request Forgery (CSRF) is to strip session and authentication information from malicious requests. The difficulty however is in determining when a request is malicious. Existing client-side countermeasures are typically too strict, thus breaking many existing websites that rely on authenticated cross-origin requests, such as sites that use third-party payment or single sign-on solutions.
The contribution of this paper is the design, implementation and evaluation of a request filtering algorithm that automatically and precisely identifies expected cross-origin requests, based on whether they are preceded by certain indicators of collaboration between sites. We formally show through bounded-scope model checking that our algorithm protects against CSRF attacks under one specific assumption about the way in which good sites collaborate cross-origin. We provide experimental evidence that this assumption is realistic: in a data set of 4.7 million HTTP requests involving over 20.000 origins, we only found 10 origins that violate the assumption. Hence, the remaining attack surface for CSRF attacks is very small. In addition, we show that our filtering does not break typical non-malicious cross-origin collaboration scenarios such as payment and single sign-on.
Chapter PDF
Similar content being viewed by others
Keywords
References
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: IEEE Computer Security Foundations Symposium, pp. 290–304 (2010)
Barth, A., Jackson, C., Hickson, I.: The web origin concept (November 2010), http://tools.ietf.org/html/draft-abarth-origin-09
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: 15th ACM Conference on Computer and Communications Security, CCS 2008 (2008)
Burns, J.: Cross site reference forgery: An introduction to a common web application weakness. In: Security Partners, LLC (2005)
De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent client-side mitigation of malicious cross-domain requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)
De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: Automatic and precise client-side protection against csrf attacks - downloads (2011), https://distrinet.cs.kuleuven.be/software/CsFire/esorics2011/
Django. Cross site request forgery protection (2011), http://docs.djangoproject.com/en/dev/ref/contrib/csrf/
Informaction Forums. Which is the best way to configure ABE? (July 2010), http://forums.informaction.com/viewtopic.php?f=23&t=4752
Johns, M., Winter, J.: RequestRodeo: client side protection against session riding. In: Proceedings of the OWASP Europe 2006 Conference, refereed papers track, Report CW448, pp. 5–17 (2006)
Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), pp. 1–10 (2006)
Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against cross-site request forgery. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, pp. 3–10. ACM, New York (2009)
Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)
Giorgio Maone. Noscript 2.0.9.9 (2011), http://noscript.net/
Ruby on Rails. Actioncontroller::requestforgeryprotection (2011), http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
Owasp. Csrf guard (October 2008), http://www.owasp.org/index.php/CSRF_Guard
Samuel, J.: Requestpolicy 0.5.20 (2011), http://www.requestpolicy.com
Shahriar, H., Zulkernine, M.: Client-side detection of cross-site request forgery attacks. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering (ISSRE), pp. 358–367 (November 2010)
Zalewski, M.: Browser security handbook (2010), http://code.google.com/p/browsersec/wiki/Main
Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
De Ryck, P., Desmet, L., Joosen, W., Piessens, F. (2011). Automatic and Precise Client-Side Protection against CSRF Attacks. In: Atluri, V., Diaz, C. (eds) Computer Security – ESORICS 2011. ESORICS 2011. Lecture Notes in Computer Science, vol 6879. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23822-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-23822-2_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23821-5
Online ISBN: 978-3-642-23822-2
eBook Packages: Computer ScienceComputer Science (R0)