Abstract
CSRF is one of the most serious cyber-attacks and has been recognized among the major threats and among the top ten worst vulnerabilities of web applications. CSRF attack occurs when the attacker takes the advantages of implicit authentication mechanisms of HTTP protocol and cached credentials in the browser to execute a sensitive action on a target website behalf of an authenticated user without his knowledge. In this paper, we present a CSRF protection mechanism that can be added to Google Chrome browser as an extension. Our tool “CSRF Detector” is purely implemented on the client-side to defeat the attacker attempt to perform CSRF attacks by analyzing web requests and web pages content to detect all the basic and advanced CSRF attacks. Our evaluation result shows that CSRF Detector extension successfully detects all the generated attacks and it has the ability to protect users and web applications against CSRF attacks with no false positive.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Sudhodanan, A., Carbone, R., Compagna, L., et al.: Large-scale analysis & detection of authentication cross-site request forgeries. In: IEEE European Symposium on Security and Privacy, EuroS&P 2017, Conference Paper, Paris, France, pp. 350–365, April 2017
Siddiqui, M.S., Verma, D.: Cross site request forgery: a common web application weakness. In: 2011 IEEE 3rd International Conference on Communication Software and Networks, pp. 538–543 (2011)
Ramarao, R., Radhesh, M., Alwyn, R.P.: Preventing Image based Cross Site Request Forgery Attacks, July 2018. https://isea.nitk.ac.in/rod/csrf/PreventImageCSRF/icscf09PreventImageCSRF.pdf
Vernotte, A.: A pattern-driven and model-based vulnerability testing for Web applications. Ph.D. thesis. Franche-Comté university (2015)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross site request forgery. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), October 2008
Xing, X., Shakshuki, E., Benoit, D., Sheltami, T.: Security analysis and authentication improvement for ieee 802.11 i specification. In: Global Telecommunications Conference, IEEE GLOBECOM 2008. IEEE (2008)
Zeller, W., Felten, E.W.: Cross-site request forgeries: exploitation and prevention. The New York Times, pp. 1–13 (2008)
OWASP. https://www.owasp.org/index.php/CrossSite_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet. Accessed 15 Mar 2018
Lekies, S., Tighzert, W., Johns, M.: Towards stateless, client-side driven Cross-Site Request Forgery protection for Web applications. In: Sicherheit, pp. 111–121 (2012)
Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against cross-site request forgery. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, Chicago, Illinois, USA, 9 November 2009, pp. 3–10 (2009)
Johns, M., Winter, J.: RequestRodeo: client side protection against session riding. In: The OWASP Europe Conference, Leuven, Belgium, May 2006
Telikicherla, K.C., Choppella, V., Bezawada, B.: CORP: a browser policy to mitigate web infiltration attacks. In: Information Systems Security, pp. 277–297. Springer, Heidelberg (2014)
De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Computer Security-ESORICS 2011, pp. 100–116. Springer, Heidelberg (2011)
Portswigger. https://portswigger.net/burp/help/suite_functions_csrfpoc. Accessed 01 May 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Lalia, S., Moustafa, K. (2019). Implementation of Web Browser Extension for Mitigating CSRF Attack. In: Rocha, Á., Adeli, H., Reis, L., Costanzo, S. (eds) New Knowledge in Information Systems and Technologies. WorldCIST'19 2019. Advances in Intelligent Systems and Computing, vol 931. Springer, Cham. https://doi.org/10.1007/978-3-030-16184-2_82
Download citation
DOI: https://doi.org/10.1007/978-3-030-16184-2_82
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16183-5
Online ISBN: 978-3-030-16184-2
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)