Alexei Czeskis
ABSTRACT
Cross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today. These attacks exploit ambient authority in browsers (eg cookies, HTTP authentication state), turning them into confused deputies and causing undesired side effects on vulnerable web sites. Existing defenses against CSRFs fall short in their coverage and/or ease of deployment. In this paper, we present a browser/server solution, Allowed Referrer Lists (ARLs), that addresses the root cause of CSRFs and removes ambient authority for participating web sites that want to be resilient to CSRF attacks. Our solution is easy for web sites to adopt and does not affect any functionality on non-participating sites. We have implemented our design in Firefox and have evaluated it with real-world sites. We found that ARLs successfully block CSRF attacks, are simpler to implement than existing defenses, and do not significantly impact browser performance.
- Adobe. Cross-domain policy file specification, 2013. http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html.Google Scholar
- R. Auger. The Cross-Site Request Forgery (CSRF/XSRF) FAQ, 2010. http://www.cgisecurity.com/csrf-faq.html.Google Scholar
- M. Baldwin. OpenX CSRF Vulnerability Being Actively Exploited, 2012. http://www.infosecstuff.com/openx-csrf-vulnerability-being-actively-exploited/.Google Scholar
- A. Barth. The web origin concept, 2011. http://tools.ietf.org/html/draft-abarth-origin.Google Scholar
- A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security (CCS), 2008. Google ScholarDigital Library
- T. Berners-Lee, R. T. Fielding, and H. F. Nielsen. Hypertext Transfer Protocol -- HTTP/1.0, 1996. http://www.ietf.org/rfc/rfc1945.txt. Google ScholarDigital Library
- blowdart. AntiCSRF, 2008. http://anticsrf.codeplex.com/.Google Scholar
- A. Bortz, A. Barth, and A. Czeskis. Origin Cookies: Session Integrity for Web Applications. In Web 2.0 Security and Privacy (W2SP), 2011.Google Scholar
- E. Y. Chen, S. Gorbaty, A. Singhal, and C. Jackson. Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control. In Web 2.0 Security & Privacy (W2SP), 2012.Google Scholar
- P. De Ryck, L. Desmet, W. Joosen, and F. Piessens. Automatic and precise client-side protection against CSRF attacks. In Lecture Notes in Computer Science. Springer, Sept. 2011. Google ScholarDigital Library
- Django Software Foundation. Cross Site Request Forgery protection, 2012. https://docs.djangoproject.com/en/dev/ref/contrib/csrf/.Google Scholar
- D. Esposito. Take advantage of asp.net built-in features to fend off web attacks. Microsoft MSDN, 2005. http://msdn.microsoft.com/en-us/library/ms972969.aspx.Google Scholar
- R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol -- HTTP/1.1, 1999. http://www.ietf.org/rfc/rfc2616.txt. Google ScholarDigital Library
- M. Heiderich, M. Niemietz, F. Schuster, T. Holz, and J. Schwenk. Scriptless Attacks - Stealing the Pie Without Touching the Sill. In CCS, 2012. Google ScholarDigital Library
- Inferno. Hacking CSRF Tokens using CSS History Hack, 2009. http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/.Google Scholar
- M. Johns and J. Winter. RequestRodeo: Client side protection against session riding. In Proceedings of the OWASP Europe 2006 Conference, May 2006.Google Scholar
- A. Johnson. The referer header, intranets and privacy, 2007. http://cephas.net/blog/2007/02/06/the-referer-header-intranets-and-privacy/.Google Scholar
- K. Kotowicz. Cross domain content extraction with fake captcha, 2011. http://blog.kotowicz.net/2011/07/cross-domain-content-extraction-with.html.Google Scholar
- B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in distributed systems: theory and practice. ACM Trans. Comput. Syst., 10(4):265--310, Nov. 1992. Google ScholarDigital Library
- E. Lawrence. Fiddler Web Debugging Proxy, 2012. http://www.fiddler2.com/fiddler2/.Google Scholar
- Z. Mao, N. Li, and I. Molloy. Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection. Financial Cryptography and Data Security. Springer-Verlag, Berlin, Heidelberg, 2009. Google ScholarDigital Library
- G. Maone. NoScript, 2012. http://noscript.net/.Google Scholar
- G. Maone. NoScript ABE - Application Boundaries Enforcer, 2012. http://noscript.net/abe/.Google Scholar
- Microsoft. Microsoft NTML, 2012. http://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx.Google Scholar
- Mozilla Wiki. Origin header proposal for csrf and clickjacking mitigation, 2011. https://wiki.mozilla.org/Security/Origin.Google Scholar
- National Institute of Standards and Technology (NIST). National vulnerability database, 2012. http://web.nvd.nist.gov/.Google Scholar
- OWASP: The Open Web Application Security Project. OWASP CSRFGuard Project, 2012. https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project.Google Scholar
- H. Purifier. CSRF Magic, 2012. http://csrf.htmlpurifier.org/.Google Scholar
- D. Ross and T. Gondrom. Http header frame options -- draft-gondrom-frame-options-01, 2012. http://tools.ietf.org/html/draft-ietf-websec-frame-options-00.Google Scholar
- P. D. Ryck, L. Desmet, T. Heyman, F. Piessens, and W. Joosen. CsFire: Transparent client-side mitigation of malicious cross-domain requests. In Proceedings of the Second international conference on Engineering Secure Software and Systems (ESSoS), 2010. Google ScholarDigital Library
- O. Shezaf. WHID 2008-05: Drive-by Pharming in the Wild, 2008. http://www.xiom.com/whid-2008-05.Google Scholar
- A. Sidashin. CSRF: Avoid security holes in your Drupal forms, 2011. http://pixeljets.com/blog/csrf-avoid-security-holes-your-drupal-forms.Google Scholar
- Softflare Limited. Hosting/e-mail account prices, 2011.Google Scholar
- S. Stamm, Z. Ramzan, and M. Jakobsson. Drive-by pharming, 2006. https://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf.Google Scholar
- B. Sterne. Content Security Policy -- unofficial draft 12, 2011. https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specifica tion.dev.html.Google Scholar
- T. Y. Woo, T. Y. C, W. Simon, and S. S. Lam. Designing a distributed authorization service. In INFOCOM, 1998.Google ScholarCross Ref
- World Wide Web Consortium. Cross-Origin Resource Sharing, 2012. http://www.w3.org/TR/cors/.Google Scholar
- M. Zalewski. Postcards from the post-XSS world, 2012. http://lcamtuf.coredump.cx/postxss/.Google Scholar
- W. Zeller and E. W. Felten. Cross-Site Request Forgeries: Exploitation and prevention, 2008. www.cs.utexas.edu/users/shmat/courses/library/zeller.pdf.Google Scholar
- Z. Zorz. Facebook spammers trick users into sharing anti-csrf tokens, 2011. http://www.net-security.org/secworld.php?id=11857.Google Scholar
Index Terms
- Lightweight server support for browser-based CSRF protection
Recommendations
Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks
RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and DefensesCross-Site Request Forgery (CSRF) is among the oldest web vulnerabilities that, despite its popularity and severity, it is still an understudied security problem. In this paper, we undertake one of the first security evaluations of CSRF defense as ...
A server- and browser-transparent CSRF defense for web 2.0 applications
ACSAC '11: Proceedings of the 27th Annual Computer Security Applications ConferenceCross-Site Request Forgery (CSRF) vulnerabilities constitute one of the most serious web application vulnerabilities, ranking fourth in the CWE/SANS Top 25 Most Dangerous Software Errors. By exploiting this vulnerability, an attacker can submit requests ...
Practical attacks on Login CSRF in OAuth
AbstractOAuth 2.0 is an important and well studied protocol. However, despite the presence of guidelines and best practices, the current implementations are still vulnerable and error-prone. This research mainly focused on the Cross-Site ...
Comments