A Client-Based and Server-Enhanced Defense Mechanism for Cross-Site Request Forgery

Xing, Luyi; Zhang, Yuqing; Chen, Shenlong

doi:10.1007/978-3-642-15512-3_25

A Client-Based and Server-Enhanced Defense Mechanism for Cross-Site Request Forgery

Luyi Xing¹⁸,
Yuqing Zhang¹⁸ &
Shenlong Chen¹⁸

Conference paper

2365 Accesses
1 Citations

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6307))

Abstract

A common-sense CSRF attack involves more than one domain. In this paper, we’ll cover both cross-domain and same-domain CSRF which overlaps with Cross-Site Scripting (XSS). If a XSS instructs victims to send requests to the same domain, it is also a CSRF–same-domain CSRF. Such sort of XSS-CSRF exists extensively and even high profile sites cannot always avoid such vulnerabilities.

There exist mainly 3 defenses: Referer Header checking, secret validation token and CAPTCHA. The Referer Header is sometimes missing [1], the secret token becomes totally futile when XSS exists and the CAPTCHA is too bothering. Besides, [2-3] brings about some client-taking actions yet pure client checking is not credible enough from server side perspective. And they still suffer from the Referer-missing problem. Moreover, all of [1-3] have nothing to do with same-domain CSRF. So a client-initialized and server-accomplished defense mechanism (CSDM) is proposed.

This work is supported by the National Natural Science Foundation of China under Grant No. 60970140, No.60773135 and No.90718007.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: 15th ACM Conference on Computer and Communications Security (2008)
Google Scholar
Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: 13th International Conference on Financial Cryptography and Data Security (2009)
Google Scholar
Maes, W., Heyman, T., Desmet, L., et al.: Browser protection against cross-site request forgery. In: 1st ACM Workshop on Secure Execution of Untrusted Code, Co-located with the 16th ACM Computer and Communications Security Conference (2009)
Google Scholar

Download references

Author information

Authors and Affiliations

GUCAS, National Computer Network Intrusion Protection Center, Beijing, 100049, China
Luyi Xing, Yuqing Zhang & Shenlong Chen

Authors

Luyi Xing
View author publications
You can also search for this author in PubMed Google Scholar
Yuqing Zhang
View author publications
You can also search for this author in PubMed Google Scholar
Shenlong Chen
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA
Somesh Jha
International Computer Science Institute, 1947 Center Street, Suite 600, 94704, Berkeley, CA, USA
Robin Sommer & Christian Kreibich &

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Xing, L., Zhang, Y., Chen, S. (2010). A Client-Based and Server-Enhanced Defense Mechanism for Cross-Site Request Forgery. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_25

Download citation

DOI: https://doi.org/10.1007/978-3-642-15512-3_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15511-6
Online ISBN: 978-3-642-15512-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics