Skip to main content
SpringerLink
Log in

Strengthening XSRF Defenses for Legacy Web Applications Using Whitebox Analysis and Transformation

  • Conference paper
Information Systems Security (ICISS 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6503))

Included in the following conference series:

Abstract

Cross Site Request Forgery (XSRF) is regarded as one of the major threats on the Web. In this paper, we propose an approach that automatically retrofits the source code of legacy web applications with a widely-used defense approach for this attack. Our approach addresses a number of shortcomings in prior blackbox solutions for automatic XSRF protection. Our approach has been implemented in a tool called X-Protect that was used to retrofit several commercial Java-based web applications. Our experimental results demonstrate that the X-Protect approach is both effective and efficient in practice.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208804131

  2. http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project

  3. Open source web applications, http://www.gotocode.com

  4. Soot: A Java Optimization Framework, http://www.sable.mcgill.ca/soot/

  5. Apache. The JMeter Project, http://jakarta.apache.org/jmeter

  6. Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: Preventing sql injection attacks using dynamic candidate evaluations. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 12–24. ACM, New York (2007)

    Google Scholar 

  7. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York (2008)

    Chapter  Google Scholar 

  8. Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: An approach for the anomaly-based detection of state violations in web applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  9. Crites, S., Hsu, F., Chen, H.: OMash: Enabling secure web mashups via object abstractions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 99–108. ACM, New York (2008)

    Chapter  Google Scholar 

  10. Halfond, W.G.J., Orso, A.: Amnesia: Analysis and monitoring for neutralizing sql-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ASE 2005, pp. 175–183. ACM, New York (2005)

    Google Scholar 

  11. Johns, M., Winter, J.: Requestrodeo: Client side protection against session riding. In: Piessens, F. (ed.) Proceedings of the OWASP Europe 2006 Conference, Refereed Papers Track, Report CW448, pp. 5–17. Departement Computerwetenschappen, Katholieke Universiteit Leuven (May 2006)

    Google Scholar 

  12. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proceedings of the Second IEEE Conference on Security and Privacy in Communications Networks (SecureComm), pp. 1–10 (2006)

    Google Scholar 

  13. Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against cross-site request forgery. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009, pp. 3–10. ACM, New York (2009)

    Chapter  Google Scholar 

  14. Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  15. Oda, T., Wurster, G., van Oorschot, P.C., Somayaji, A.: Soma: Mutual approval for included content in web pages. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 89–98. ACM, New York (2008)

    Chapter  Google Scholar 

  16. SecureThoughts.com. Hacking CSRF Tokens using CSS History Hack (2009), http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack

  17. Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: USENIX Security Symposium (2006)

    Google Scholar 

  18. Zalewski, M.: Refcontrol : Add-ons for Firefox, https://addons.mozilla.org/en-US/firefox/addon/953

  19. Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University (Fall 2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Illinois, Chicago, USA

    Michelle Zhou, Prithvi Bisht & V. N. Venkatakrishnan

Authors
  1. Michelle Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Prithvi Bisht
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. V. N. Venkatakrishnan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. Dhirubhai Ambani Institute of Information and Communication Technology, Gandhinagar, 382007, Gujarat, India

    Anish Mathuria

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zhou, M., Bisht, P., Venkatakrishnan, V.N. (2010). Strengthening XSRF Defenses for Legacy Web Applications Using Whitebox Analysis and Transformation. In: Jha, S., Mathuria, A. (eds) Information Systems Security. ICISS 2010. Lecture Notes in Computer Science, vol 6503. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17714-9_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17714-9_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17713-2

  • Online ISBN: 978-3-642-17714-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation