Abstract
Cross Site Request Forgery (XSRF) is regarded as one of the major threats on the Web. In this paper, we propose an approach that automatically retrofits the source code of legacy web applications with a widely-used defense approach for this attack. Our approach addresses a number of shortcomings in prior blackbox solutions for automatic XSRF protection. Our approach has been implemented in a tool called X-Protect that was used to retrofit several commercial Java-based web applications. Our experimental results demonstrate that the X-Protect approach is both effective and efficient in practice.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208804131
http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project
Open source web applications, http://www.gotocode.com
Soot: A Java Optimization Framework, http://www.sable.mcgill.ca/soot/
Apache. The JMeter Project, http://jakarta.apache.org/jmeter
Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: Preventing sql injection attacks using dynamic candidate evaluations. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 12–24. ACM, New York (2007)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York (2008)
Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: An approach for the anomaly-based detection of state violations in web applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007)
Crites, S., Hsu, F., Chen, H.: OMash: Enabling secure web mashups via object abstractions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 99–108. ACM, New York (2008)
Halfond, W.G.J., Orso, A.: Amnesia: Analysis and monitoring for neutralizing sql-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ASE 2005, pp. 175–183. ACM, New York (2005)
Johns, M., Winter, J.: Requestrodeo: Client side protection against session riding. In: Piessens, F. (ed.) Proceedings of the OWASP Europe 2006 Conference, Refereed Papers Track, Report CW448, pp. 5–17. Departement Computerwetenschappen, Katholieke Universiteit Leuven (May 2006)
Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proceedings of the Second IEEE Conference on Security and Privacy in Communications Networks (SecureComm), pp. 1–10 (2006)
Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against cross-site request forgery. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009, pp. 3–10. ACM, New York (2009)
Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)
Oda, T., Wurster, G., van Oorschot, P.C., Somayaji, A.: Soma: Mutual approval for included content in web pages. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 89–98. ACM, New York (2008)
SecureThoughts.com. Hacking CSRF Tokens using CSS History Hack (2009), http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack
Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: USENIX Security Symposium (2006)
Zalewski, M.: Refcontrol : Add-ons for Firefox, https://addons.mozilla.org/en-US/firefox/addon/953
Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University (Fall 2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zhou, M., Bisht, P., Venkatakrishnan, V.N. (2010). Strengthening XSRF Defenses for Legacy Web Applications Using Whitebox Analysis and Transformation. In: Jha, S., Mathuria, A. (eds) Information Systems Security. ICISS 2010. Lecture Notes in Computer Science, vol 6503. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17714-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-17714-9_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17713-2
Online ISBN: 978-3-642-17714-9
eBook Packages: Computer ScienceComputer Science (R0)