Advertisement

Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection

  • Ziqing Mao
  • Ninghui Li
  • Ian Molloy
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5628)

Abstract

A cross site request forgery (CSRF) attack occurs when a user’s web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF vulnerabilities are very common, and consequences of such attacks are most serious with financial websites. We recognize that CSRF attacks are an example of the confused deputy problem, in which the browser is viewed by websites as the deputy of the user, but may be tricked into sending requests that violate the user’s intention. We propose Browser-Enforced Authenticity Protection (BEAP), a browser-based mechanism to defend against CSRF attacks. BEAP infers whether a request reflects the user’s intention and whether an authentication token is sensitive, and strips sensitive authentication tokens from any request that may not reflect the user’s intention. The inference is based on the information about the request (e.g., how the request is triggered and crafted) and heuristics derived from analyzing real-world web applications. We have implemented BEAP as a Firefox browser extension, and show that BEAP can effectively defend against the CSRF attacks and does not break the existing web applications.

Keywords

Cross-Site Request Forgery Web Security Browser Security 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    The platform for privacy preferences project (p3p), http://www.w3.org/TR/P3P
  2. 2.
    The web hacking incidents database (2008), http://www.webappsec.org/projects/whid/byid_id_2008-05.shtml
  3. 3.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proc. ACM Conference on Computer and Communications Security (CCS) (October 2008)Google Scholar
  4. 4.
    Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP authentication: Basic and digest access authentication. RFC 2617 (June 1999), http://www.ietf.org/rfc/rfc2617.txt
  5. 5.
    Google. Load time analyzer 1.5, firefox add-on (March 2007), https://addons.mozilla.org/en-US/firefox/addon/3371
  6. 6.
    Group, N.W.: Hypertext transfer protocol – HTTP/1.1. RFC 2616 (June 1999), http://www.ietf.org/rfc/rfc2616.txt
  7. 7.
    Hansen, R., Stracener, T.: Xploiting google gadgets: Gmalware and beyond (August 2008)Google Scholar
  8. 8.
    Higgins, K.J.: CSRF vulnerability: A ‘sleeping giant’ (2006)Google Scholar
  9. 9.
    Jackson, C.: Defeating frame busting techniques (2005), http://www.crypto.stanford.edu/framebust/
  10. 10.
    Johns, M., Winter, J.: RequestRodeo: Client side protetion against session riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)Google Scholar
  11. 11.
    Jovanvoic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proceedings of the Second IEEE Conference on Security and Privacy in Communication Networks (September 2006)Google Scholar
  12. 12.
  13. 13.
    Kristol, D., Montulli, L.: HTTP state management mechanism. RFC 2965 (October 2000), http://www.ietf.org/rfc/rfc2965.txt
  14. 14.
  15. 15.
    Oda, T., Wurster, G., van Oorschot, P., Somayaji, A.: Soma: Mutual approval for included content in web pages. In: Proc. ACM Conference on Computer and Communications Security (CCS) (October 2008)Google Scholar
  16. 16.
    OWASP. Top ten most critical web application security vulnerabilties. Whitepaper (2007), http://www.owasp.org/index.php/Top_10_2007
  17. 17.
    phpBB. Create communities worldwide, http://www.phpbb.com
  18. 18.
    Shiflett, C.: Foiling cross-site attacks (October 2001), http://shiflett.org/articles/foiling-cross-site-attacks
  19. 19.
    Shiflett, C.: Security corner: Cross-site request forgeries (December 2004), http://shiflett.org/articles/cross-site-request-forgeries
  20. 20.
    US-CERT. Cross-site request forgery (CSRF) vulnerability in @mail webmail 4.51. CVE-2006-6701 (December 2006), http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6701
  21. 21.
    US-CERT. Multiple cross-site request forgery (CSRF) vulnerabilities in phpmyadmin before 2.9.1. CVE-2006-5116 (October 2006), http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5116
  22. 22.
    US-CERT. Google gmail cross-site request forgery vulnerability. Vulnerability Note 571584 (October 2007), http://www.kb.cert.org/vuls/id/571584
  23. 23.
    US-CERT. Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpbb 2.0.22. CVE-2008-0471 (January 2008), http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0471
  24. 24.
    US-CERT. Cross-site request forgery (CSRF) vulnerability in the Linksys wrt54gl wireless-g broadband router. CVE-2008-0228 (January 2008), http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0228
  25. 25.
    P. W. Cross-site request forgery (2001), http://www.tux.org/~peterw/csrf.txt

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Ziqing Mao
    • 1
  • Ninghui Li
    • 1
  • Ian Molloy
    • 1
  1. 1.Department of Computer SciencePurdue UniversityWest lafayetteUSA

Personalised recommendations