Evolution of cross site request forgery attacks
- 232 Downloads
This paper presents a state of the art of cross-site request forgery (CSRF) attacks and new techniques which can be used by potential intruders to make them more effective. Several attack scenarios on widely used web applications are discussed, and a vulnerability which affect most recent browsers is explained. This vulnerability makes it possible to perform effective CSRF attacks using the XMLHTTPRequest object. In addition, this paper describes a new technique that preserves the malicious code on the target system even after the browser window is closed. Lastly, best solutions to prevent these attacks are discussed to enable everyone (users, browser or Web applications developers, professionals in charge of IT security in an organization or a company) to prevent or manage this threat.
KeywordsMalicious Code Browser Window Post Request Cross Site Request Forgery Recent Browser
Unable to display preview. Download preview PDF.
- 1.Watkins, P.: Cross-Site Request Forgeries (2001). http://www.tux.org/~peterw/csrf.txt
- 2.Grossman, J.: (2006). http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00087.html
- 3.Klein, A.: Forging HTTP request headers with Flash (2006). http://www.securityfocus.com/archive/1/441014/30/0/threaded
- 4.Grossman, J., Niedzialkowski, T.C.: hacking Intranet Website from the outside (2006). http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf
- 6.John, M., Winter, J.: RequestRodeo: client Side Protection against Session Riding (2006). http://www.informatik.uni-hamburg.de/SVS/papers/2006_owasp_RequestRodeo.pdf