Implementation of Web Browser Extension for Mitigating CSRF Attack

Lalia, Saoudi; Moustafa, Kaddour

doi:10.1007/978-3-030-16184-2_82

Implementation of Web Browser Extension for Mitigating CSRF Attack

Saoudi Lalia¹⁸ &
Kaddour Moustafa¹⁸

Conference paper
First Online: 30 March 2019

2062 Accesses
1 Citations

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 931))

Abstract

CSRF is one of the most serious cyber-attacks and has been recognized among the major threats and among the top ten worst vulnerabilities of web applications. CSRF attack occurs when the attacker takes the advantages of implicit authentication mechanisms of HTTP protocol and cached credentials in the browser to execute a sensitive action on a target website behalf of an authenticated user without his knowledge. In this paper, we present a CSRF protection mechanism that can be added to Google Chrome browser as an extension. Our tool “CSRF Detector” is purely implemented on the client-side to defeat the attacker attempt to perform CSRF attacks by analyzing web requests and web pages content to detect all the basic and advanced CSRF attacks. Our evaluation result shows that CSRF Detector extension successfully detects all the generated attacks and it has the ability to protect users and web applications against CSRF attacks with no false positive.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 169.00; Price excludes VAT (USA)

Softcover Book: USD 219.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

Sudhodanan, A., Carbone, R., Compagna, L., et al.: Large-scale analysis & detection of authentication cross-site request forgeries. In: IEEE European Symposium on Security and Privacy, EuroS&P 2017, Conference Paper, Paris, France, pp. 350–365, April 2017
Google Scholar
Siddiqui, M.S., Verma, D.: Cross site request forgery: a common web application weakness. In: 2011 IEEE 3rd International Conference on Communication Software and Networks, pp. 538–543 (2011)
Google Scholar
Ramarao, R., Radhesh, M., Alwyn, R.P.: Preventing Image based Cross Site Request Forgery Attacks, July 2018. https://isea.nitk.ac.in/rod/csrf/PreventImageCSRF/icscf09PreventImageCSRF.pdf
Vernotte, A.: A pattern-driven and model-based vulnerability testing for Web applications. Ph.D. thesis. Franche-Comté university (2015)
Google Scholar
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross site request forgery. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), October 2008
Google Scholar
Xing, X., Shakshuki, E., Benoit, D., Sheltami, T.: Security analysis and authentication improvement for ieee 802.11 i specification. In: Global Telecommunications Conference, IEEE GLOBECOM 2008. IEEE (2008)
Google Scholar
Zeller, W., Felten, E.W.: Cross-site request forgeries: exploitation and prevention. The New York Times, pp. 1–13 (2008)
Google Scholar
OWASP. https://www.owasp.org/index.php/CrossSite_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet. Accessed 15 Mar 2018
Lekies, S., Tighzert, W., Johns, M.: Towards stateless, client-side driven Cross-Site Request Forgery protection for Web applications. In: Sicherheit, pp. 111–121 (2012)
Google Scholar
Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against cross-site request forgery. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, Chicago, Illinois, USA, 9 November 2009, pp. 3–10 (2009)
Google Scholar
Johns, M., Winter, J.: RequestRodeo: client side protection against session riding. In: The OWASP Europe Conference, Leuven, Belgium, May 2006
Google Scholar
Telikicherla, K.C., Choppella, V., Bezawada, B.: CORP: a browser policy to mitigate web infiltration attacks. In: Information Systems Security, pp. 277–297. Springer, Heidelberg (2014)
Google Scholar
De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Computer Security-ESORICS 2011, pp. 100–116. Springer, Heidelberg (2011)
Google Scholar
Portswigger. https://portswigger.net/burp/help/suite_functions_csrfpoc. Accessed 01 May 2018

Download references

Author information

Authors and Affiliations

Computer Science Department, Mohamed Boudiaf University, M’sila, Algeria
Saoudi Lalia & Kaddour Moustafa

Authors

Saoudi Lalia
View author publications
You can also search for this author in PubMed Google Scholar
Kaddour Moustafa
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Saoudi Lalia .

Editor information

Editors and Affiliations

Departamento de Engenharia Informática, Universidade de Coimbra, Coimbra, Portugal
Álvaro Rocha
The Ohio State University, Columbus, OH, USA
Hojjat Adeli
Faculdade de Engenharia/LIACC, Universidade do Porto, Porto, Portugal
Luís Paulo Reis
DIMES, Università della Calabria, Arcavacata di Rende, Italy
Sandra Costanzo

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Lalia, S., Moustafa, K. (2019). Implementation of Web Browser Extension for Mitigating CSRF Attack. In: Rocha, Á., Adeli, H., Reis, L., Costanzo, S. (eds) New Knowledge in Information Systems and Technologies. WorldCIST'19 2019. Advances in Intelligent Systems and Computing, vol 931. Springer, Cham. https://doi.org/10.1007/978-3-030-16184-2_82

Download citation

DOI: https://doi.org/10.1007/978-3-030-16184-2_82
Published: 30 March 2019
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16183-5
Online ISBN: 978-3-030-16184-2
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)

Publish with us

Policies and ethics