research-article

Robust defenses for cross-site request forgery

Authors:

Collin Jackson,

John C. MitchellAuthors Info & Claims

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Pages 75 - 88

https://doi.org/10.1145/1455770.1455782

Published: 27 October 2008 Publication History

Abstract

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the honest web site as the attacker. The severity of a login CSRF vulnerability varies by site, but it can be as severe as a cross-site scripting vulnerability. We detail three major CSRF defense techniques and find shortcomings with each technique. Although the HTTP Referer header could provide an effective defense, our experimental observation of 283,945 advertisement impressions indicates that the header is widely blocked at the network layer due to privacy concerns. Our observations do suggest, however, that the header can be used today as a reliable CSRF defense over HTTPS, making it particularly well-suited for defending against login CSRF. For the long term, we propose that browsers implement the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns.

References

[1]

David Airey. Google's Gmail security failure leaves my business sabotaged, December 2007. http://www.davidairey.co.uk/google-gmail-security-hijack/.

[2]

Robert Auger. The cross-site request forgery (CSRF/XSRF) FAQ, 2007. http://www.cgisecurity.com/articles/csrf-faq.shtml.

[3]

Michael Barbaro and Tom Zeller Jr. A face is exposed for AOL searcher no. 4417749. The New York Times, August 2006. http://www.nytimes.com/2006/08/09/technology/09aol.htm.

[4]

Adam Barth, Collin Jackson, and John C. Mitchell. Securing frame communication in browsers. In In Proceedings of the 17th USENIX Security Symposium (USENIX Security 2008), July 2008.

Digital Library

[5]

Tim Berners-Lee, Roy Fielding, and Henrik Frystyk. Hypertext Transfer Protocol--HTTP/1.0. RFC 1945, May 1996.

Digital Library

[6]

Douglas Crockford. JSONRequest, 2006. http://json.org/JSONRequest.html.

[7]

Neil Daswani, Christoph Kern, and Anita Kesavan. Foundations of Security: What Every Programmer Needs to Know. Apress, 2007.

Digital Library

[8]

Rogan Dawes. Session Fixation, 2008. http://www.owasp.org/index.php/Session_Fixation_Protection.

[9]

Rohit Dhamankar et al. Sans top-20 security risks, 2007. http://www.sans.org/top20/2007/.

[10]

Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In Proceedings of the Conference on Human Factors in Computing Systems (CHI), 2006.

Digital Library

[11]

E. W. Felten, D. Balfanz, D. Dean, and D. S. Wallach. Web Spoofing: An Internet Con Game. In 20th National Information Systems Security Conference, October 1997.

[12]

Brad Fitzpatrick, David Recordon, Dick Hardt, Johnny Bufu, Josh Hoyt, et al. OpenID authentication 2.0, December 2007. http://openid.net/specs/openid-authentication-2_0.html.

[13]

Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, and Petko D. Petkov. XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress, 2007.

Digital Library

[14]

Mozilla Foundation. Security advisory 2005-58, September 2005. http://www.mozilla.org/security/announce/2005/mfsa2005-58.html.

[15]

Google. Security for GWT Applications. http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications.

[16]

Robert Hansen and Tom Stracener. Xploiting Google gadgets: Gmalware and beyond, August 2008. Black Hat briefing.

[17]

Elliotte Rusty Harold. Privacy tip #3: Block Referer headers in Firefox, October 2006. http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/.

[18]

Mario Heiderich. CSRFx, 2007. http://php-ids.org/category/csrfx/.

[19]

Ian Hickson et al. Cross-document messaging. http://www.w3.org/html/wg/html5/#crossDocumentMessages.

[20]

Ian Hickson et al. HTML 5 Working Draft. http://www.whatwg.org/specs/web-apps/current-work/.

[21]

Dan Holevoet. Changes to inline gadgets, August 2008. http://igoogledeveloper.blogspot.com/2008/08/changes-to-inlined-gadgets.html.

[22]

Collin Jackson. Defeating frame busting techniques, 2005. http://crypto.stanford.edu/framebust/.

[23]

Collin Jackson and Adam Barth. ForceHTTPS: Protecting high-security web sites from network attacks. In Proceedings of the 17th International World Wide Web Conference (WWW), April 2008.

Digital Library

[24]

Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh. Protecting browsers from DNS rebinding attacks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), November 2007.

Digital Library

[25]

Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell. Protecting browser state from web privacy attacks. In Proceedings of the 15th International World Wide Web Conference (WWW), May 2006.

Digital Library

[26]

Martin Johns and Justus Winter. RequestRodeo: Client side protection against session riding. In Proceedings of the OWASP Europe 2006 Conference, May 2006.

[27]

Aaron Johnson. The Referer header, intranets and privacy, February 2007. http://cephas.net/blog/2007/02/06/the-referer-header-intranets-and-privacy/.

[28]

Paul Johnston and Richard Moore. Multiple browser cookie injection vulnerabilities, September 2004. http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt.

[29]

Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. Preventing cross site request forgery attacks. In IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), 2006.

[30]

Chris Karlof, Umesh Shankar, J. D. Tygar, and David Wagner. Dynamic pharming attacks and locked same-origin policies for web browsers. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), November 2007.

Digital Library

[31]

Amit Klein. Exploiting the XMLHttpRequest object in IE--Referrer spoofing and a lot morełdots, September 2005. http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml.

[32]

Peter-Paul Koch. Frame busting. http://www.quirksmode.org/js/framebust.html.

[33]

David Kristol and Lou Montulli. HTTP State Management Mechanism. RFC 2965, October 2000.

Digital Library

[34]

David Kristol and Lou Montulli. HTTP State Management Mechanism. RFC 2109, February 1997.

Digital Library

[35]

V. T. Lam, Spiros Antonatos, P. Akritidis, and Kostas G. Anagnostakis. Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proceedings of the 13th ACM Conference on Computer and Communication Security (CCS), October 2006.

Digital Library

[36]

PHP Manual. Session handling functions. http://www.phpbuilder.com/manual/en/ref.session.php.

[37]

Chris Masone, Kwang-Hyun Baek, and Sean Smith. WSKE: Web server key enabled cookies. In Proceedings of Usable Security 2007 (USEC '07).

Digital Library

[38]

Microsoft. XDomainRequest object. http://msdn2.microsoft.com/en-us/library/cc288060(VS.85).aspx.

[39]

Netscape. Persistent client state: HTTP cookies. http://wp.netscape.com/newsref/std/cookie_spec.html.

[40]

Greg Pass, Abdur Chowdhury, and Cayley Torgeson. A picture of search. In InfoScale '06: Proceedings of the 1st International Conference on Scalable Information Systems, 2006.

Digital Library

[41]

Petko D. Petkov. Google Gmail e-mail hijack technique, September 2007. http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/.

[42]

Yngve Pettersen. HTTP state management mechanism v2. IETF Internet Draft, February 2008. http://www.ietf.org/internet-drafts/draft-pettersen-cookie-v2-02.txt.

[43]

phpBB. http://phpbb.com/.

[44]

Prototype JavaScript framework. http://www.prototypejs.org/.

[45]

Ruby on rails. http://www.rubyonrails.org/.

[46]

Secunia. Microsoft Internet Explorer "XMLHTTP" HTTP request injection, September 2005. http://secunia.com/advisories/16942/.

[47]

Eric Sheridan. OWASP CSRFGuard Project, 2008. http://www.owasp.org/index.php/CSRF_Guard.

[48]

Trac. http://trac.edgewall.org/.

[49]

Anne van Kesteren et al. Access control for cross-site requests. http://www.w3.org/TR/access-control/.

[50]

Luis von Ahn, Nick Hopper Manuel Blum, and John Langford. CAPTCHA: Using hard AI problems for security. In Eurocrypt 2003.

Digital Library

[51]

Weilin Zhong. Session Fixation, 2008. http://www.owasp.org/index.php/Session_Fixation.

Cited By

B. I. E(2024)An Enhanced Mechanism for Protecting Web Applications from Cross Site Request Forgery (CSRF)British Journal of Computer, Networking and Information Technology10.52589/BJCNIT-R5YYKXKA6:1(1-17)Online publication date: 2-Jan-2024
https://doi.org/10.52589/BJCNIT-R5YYKXKA
Shang KHe WZhang S(2024)Review on Security Defense Technology Research in Edge Computing EnvironmentChinese Journal of Electronics10.23919/cje.2022.00.17033:1(1-18)Online publication date: Jan-2024
https://doi.org/10.23919/cje.2022.00.170
Gumarac M(2024)Extent of spending behavior, problems encountered, and financial knowledge across generational cohorts among state universities and colleges employeesInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02411:2(230-237)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.024
Show More Cited By

Index Terms

Robust defenses for cross-site request forgery
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Browser protection against cross-site request forgery
SecuCode '09: Proceedings of the first ACM workshop on Secure execution of untrusted code

As businesses are opening up to the web, securing their web applications becomes paramount. Nevertheless, the number of web application attacks is constantly increasing. Cross-Site Request Forgery (CSRF) is one of the more serious threats to web ...
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security

A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
Study of Cross-Site Request Forgery on Web-Based Application: Exploitations and Preventions
Abstract
Cross-Site Request Forgery (CSRF) is a prominent web exploit that continues to pose significant security risks, even on highly ranked websites. This research focuses on identifying the underlying vulnerability, understanding the techniques ...

Reviews

Reviewer: Zheng Gong

Cross-site attacks are widely used to exploit Web site vulnerability. Barth, Jackson, and Mitchell present in this paper a detailed description of cross-site request forgery (CSRF), a specific kind of cross-site attack. CSRF allows the attacker to forge a valid request to a Web site by redirecting the user. The authors also discuss the existing defenses against CSRF and suggest "modifying browsers to send an origin header with POST requests that identifies the [source] that initiated the request." The paper is well written and the references are up to date. The paper should be valuable to professionals in the Internet security area. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

October 2008

590 pages

ISBN:9781595938107

DOI:10.1145/1455770

General Chair:
Peng Ning
North Carolina State University, USA
,
Program Chairs:
Paul Syverson
Naval Research Laboratory, USA
,
Somesh Jha
University of Wisconsin, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 27 - 31, 2008

Virginia, Alexandria, USA

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

234
Total Citations
View Citations
3,532
Total Downloads

Downloads (Last 12 months)119
Downloads (Last 6 weeks)16

Reflects downloads up to 28 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

B. I. E(2024)An Enhanced Mechanism for Protecting Web Applications from Cross Site Request Forgery (CSRF)British Journal of Computer, Networking and Information Technology10.52589/BJCNIT-R5YYKXKA6:1(1-17)Online publication date: 2-Jan-2024
https://doi.org/10.52589/BJCNIT-R5YYKXKA
Shang KHe WZhang S(2024)Review on Security Defense Technology Research in Edge Computing EnvironmentChinese Journal of Electronics10.23919/cje.2022.00.17033:1(1-18)Online publication date: Jan-2024
https://doi.org/10.23919/cje.2022.00.170
Gumarac M(2024)Extent of spending behavior, problems encountered, and financial knowledge across generational cohorts among state universities and colleges employeesInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02411:2(230-237)Online publication date: Feb-2024
https://doi.org/10.21833/ijaas.2024.02.024
Nguyen TQuoc Viet Hung NNguyen THuynh TNguyen TWeidlich MYin H(2024)Manipulating Recommender Systems: A Survey of Poisoning Attacks and CountermeasuresACM Computing Surveys10.1145/3677328Online publication date: 25-Jul-2024
https://doi.org/10.1145/3677328
Lim KPark JKim DChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Phishing Vs. Legit: Comparative Analysis of Client-Side Resources of Phishing and Target Brand WebsitesProceedings of the ACM on Web Conference 202410.1145/3589334.3645535(1756-1767)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645535
Tejaswi BMannan MYoussef A(2024)Security Weaknesses in IoT Management PlatformsIEEE Internet of Things Journal10.1109/JIOT.2023.328975411:1(1572-1588)Online publication date: 1-Jan-2024
https://doi.org/10.1109/JIOT.2023.3289754
Squarcina MAdão PVeronese LMaffei MCalandrino JTroncoso C(2023)Cookie crumblesProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620547(5539-5556)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620547
Carboneri AGhasemisharif MKarami SPolakis J(2023)When Push Comes to Shove: Empirical Analysis of Web Push Implementations in the WildProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627186(44-55)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627186
Lim KKwon YKim DMontpetit MLeivadeas AUhlig SJaved M(2023)A Longitudinal Study of Vulnerable Client-side Resources and Web Developers' Updating BehaviorsProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624804(162-180)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624804
Trampert LStock BRoth S(2023)Honey, I Cached our Security Tokens Re-usage of Security Tokens in the WildProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607223(714-726)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607223
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents