Advertisement

Journal in Computer Virology

, Volume 4, Issue 1, pp 61–71 | Cite as

Evolution of cross site request forgery attacks

  • Renaud Feil
  • Louis Nyffenegger
SSTIC 2007 Best Academic Papers

Abstract

This paper presents a state of the art of cross-site request forgery (CSRF) attacks and new techniques which can be used by potential intruders to make them more effective. Several attack scenarios on widely used web applications are discussed, and a vulnerability which affect most recent browsers is explained. This vulnerability makes it possible to perform effective CSRF attacks using the XMLHTTPRequest object. In addition, this paper describes a new technique that preserves the malicious code on the target system even after the browser window is closed. Lastly, best solutions to prevent these attacks are discussed to enable everyone (users, browser or Web applications developers, professionals in charge of IT security in an organization or a company) to prevent or manage this threat.

Keywords

Malicious Code Browser Window Post Request Cross Site Request Forgery Recent Browser 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Watkins, P.: Cross-Site Request Forgeries (2001). http://www.tux.org/~peterw/csrf.txt
  2. 2.
  3. 3.
    Klein, A.: Forging HTTP request headers with Flash (2006). http://www.securityfocus.com/archive/1/441014/30/0/threaded
  4. 4.
    Grossman, J., Niedzialkowski, T.C.: hacking Intranet Website from the outside (2006). http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf
  5. 5.
    SPI dynamics: detecting, analyzing, and exploiting Intranet applications using JavaScript (2006). http://www.spidynamics.com/assets/documents/JSportscan.pdf
  6. 6.
    John, M., Winter, J.: RequestRodeo: client Side Protection against Session Riding (2006). http://www.informatik.uni-hamburg.de/SVS/papers/2006_owasp_RequestRodeo.pdf

Copyright information

© Springer-Verlag France 2007

Authors and Affiliations

  1. 1.Hervé Schauer ConsultantsLevallois-PerretFrance

Personalised recommendations