skip to main content
10.1145/2488388.2488413acmotherconferencesArticle/Chapter ViewAbstractPublication PagesthewebconfConference Proceedingsconference-collections
research-article

Lightweight server support for browser-based CSRF protection

Published: 13 May 2013 Publication History

Abstract

Cross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today. These attacks exploit ambient authority in browsers (eg cookies, HTTP authentication state), turning them into confused deputies and causing undesired side effects on vulnerable web sites. Existing defenses against CSRFs fall short in their coverage and/or ease of deployment. In this paper, we present a browser/server solution, Allowed Referrer Lists (ARLs), that addresses the root cause of CSRFs and removes ambient authority for participating web sites that want to be resilient to CSRF attacks. Our solution is easy for web sites to adopt and does not affect any functionality on non-participating sites. We have implemented our design in Firefox and have evaluated it with real-world sites. We found that ARLs successfully block CSRF attacks, are simpler to implement than existing defenses, and do not significantly impact browser performance.

References

[1]
Adobe. Cross-domain policy file specification, 2013. http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html.
[2]
R. Auger. The Cross-Site Request Forgery (CSRF/XSRF) FAQ, 2010. http://www.cgisecurity.com/csrf-faq.html.
[3]
M. Baldwin. OpenX CSRF Vulnerability Being Actively Exploited, 2012. http://www.infosecstuff.com/openx-csrf-vulnerability-being-actively-exploited/.
[4]
A. Barth. The web origin concept, 2011. http://tools.ietf.org/html/draft-abarth-origin.
[5]
A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security (CCS), 2008.
[6]
T. Berners-Lee, R. T. Fielding, and H. F. Nielsen. Hypertext Transfer Protocol -- HTTP/1.0, 1996. http://www.ietf.org/rfc/rfc1945.txt.
[7]
blowdart. AntiCSRF, 2008. http://anticsrf.codeplex.com/.
[8]
A. Bortz, A. Barth, and A. Czeskis. Origin Cookies: Session Integrity for Web Applications. In Web 2.0 Security and Privacy (W2SP), 2011.
[9]
E. Y. Chen, S. Gorbaty, A. Singhal, and C. Jackson. Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control. In Web 2.0 Security & Privacy (W2SP), 2012.
[10]
P. De Ryck, L. Desmet, W. Joosen, and F. Piessens. Automatic and precise client-side protection against CSRF attacks. In Lecture Notes in Computer Science. Springer, Sept. 2011.
[11]
Django Software Foundation. Cross Site Request Forgery protection, 2012. https://docs.djangoproject.com/en/dev/ref/contrib/csrf/.
[12]
D. Esposito. Take advantage of asp.net built-in features to fend off web attacks. Microsoft MSDN, 2005. http://msdn.microsoft.com/en-us/library/ms972969.aspx.
[13]
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol -- HTTP/1.1, 1999. http://www.ietf.org/rfc/rfc2616.txt.
[14]
M. Heiderich, M. Niemietz, F. Schuster, T. Holz, and J. Schwenk. Scriptless Attacks - Stealing the Pie Without Touching the Sill. In CCS, 2012.
[15]
Inferno. Hacking CSRF Tokens using CSS History Hack, 2009. http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/.
[16]
M. Johns and J. Winter. RequestRodeo: Client side protection against session riding. In Proceedings of the OWASP Europe 2006 Conference, May 2006.
[17]
A. Johnson. The referer header, intranets and privacy, 2007. http://cephas.net/blog/2007/02/06/the-referer-header-intranets-and-privacy/.
[18]
K. Kotowicz. Cross domain content extraction with fake captcha, 2011. http://blog.kotowicz.net/2011/07/cross-domain-content-extraction-with.html.
[19]
B. Lampson, M. Abadi, M. Burrows, and E. Wobber. Authentication in distributed systems: theory and practice. ACM Trans. Comput. Syst., 10(4):265--310, Nov. 1992.
[20]
E. Lawrence. Fiddler Web Debugging Proxy, 2012. http://www.fiddler2.com/fiddler2/.
[21]
Z. Mao, N. Li, and I. Molloy. Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection. Financial Cryptography and Data Security. Springer-Verlag, Berlin, Heidelberg, 2009.
[22]
G. Maone. NoScript, 2012. http://noscript.net/.
[23]
G. Maone. NoScript ABE - Application Boundaries Enforcer, 2012. http://noscript.net/abe/.
[24]
Microsoft. Microsoft NTML, 2012. http://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx.
[25]
Mozilla Wiki. Origin header proposal for csrf and clickjacking mitigation, 2011. https://wiki.mozilla.org/Security/Origin.
[26]
National Institute of Standards and Technology (NIST). National vulnerability database, 2012. http://web.nvd.nist.gov/.
[27]
OWASP: The Open Web Application Security Project. OWASP CSRFGuard Project, 2012. https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project.
[28]
H. Purifier. CSRF Magic, 2012. http://csrf.htmlpurifier.org/.
[29]
D. Ross and T. Gondrom. Http header frame options -- draft-gondrom-frame-options-01, 2012. http://tools.ietf.org/html/draft-ietf-websec-frame-options-00.
[30]
P. D. Ryck, L. Desmet, T. Heyman, F. Piessens, and W. Joosen. CsFire: Transparent client-side mitigation of malicious cross-domain requests. In Proceedings of the Second international conference on Engineering Secure Software and Systems (ESSoS), 2010.
[31]
O. Shezaf. WHID 2008-05: Drive-by Pharming in the Wild, 2008. http://www.xiom.com/whid-2008-05.
[32]
A. Sidashin. CSRF: Avoid security holes in your Drupal forms, 2011. http://pixeljets.com/blog/csrf-avoid-security-holes-your-drupal-forms.
[33]
Softflare Limited. Hosting/e-mail account prices, 2011.
[34]
S. Stamm, Z. Ramzan, and M. Jakobsson. Drive-by pharming, 2006. https://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf.
[35]
B. Sterne. Content Security Policy -- unofficial draft 12, 2011. https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specifica tion.dev.html.
[36]
T. Y. Woo, T. Y. C, W. Simon, and S. S. Lam. Designing a distributed authorization service. In INFOCOM, 1998.
[37]
World Wide Web Consortium. Cross-Origin Resource Sharing, 2012. http://www.w3.org/TR/cors/.
[38]
M. Zalewski. Postcards from the post-XSS world, 2012. http://lcamtuf.coredump.cx/postxss/.
[39]
W. Zeller and E. W. Felten. Cross-Site Request Forgeries: Exploitation and prevention, 2008. www.cs.utexas.edu/users/shmat/courses/library/zeller.pdf.
[40]
Z. Zorz. Facebook spammers trick users into sharing anti-csrf tokens, 2011. http://www.net-security.org/secworld.php?id=11857.

Cited By

View all
  • (2024)The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00098(166-184)Online publication date: 19-May-2024
  • (2023)Deep Learning-Based Detection of CSRF Vulnerabilities in Web Applications2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361414(0916-0920)Online publication date: 14-Nov-2023
  • (2022)The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833637(1590-1607)Online publication date: May-2022
  • Show More Cited By

Index Terms

  1. Lightweight server support for browser-based CSRF protection

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    WWW '13: Proceedings of the 22nd international conference on World Wide Web
    May 2013
    1628 pages
    ISBN:9781450320351
    DOI:10.1145/2488388

    Sponsors

    • NICBR: Nucleo de Informatcao e Coordenacao do Ponto BR
    • CGIBR: Comite Gestor da Internet no Brazil

    In-Cooperation

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 13 May 2013

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. authentication
    2. authorization
    3. csrf
    4. web browser
    5. xsrf

    Qualifiers

    • Research-article

    Conference

    WWW '13
    Sponsor:
    • NICBR
    • CGIBR
    WWW '13: 22nd International World Wide Web Conference
    May 13 - 17, 2013
    Rio de Janeiro, Brazil

    Acceptance Rates

    WWW '13 Paper Acceptance Rate 125 of 831 submissions, 15%;
    Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)16
    • Downloads (Last 6 weeks)3
    Reflects downloads up to 20 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00098(166-184)Online publication date: 19-May-2024
    • (2023)Deep Learning-Based Detection of CSRF Vulnerabilities in Web Applications2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361414(0916-0920)Online publication date: 14-Nov-2023
    • (2022)The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833637(1590-1607)Online publication date: May-2022
    • (2021)Where We Stand (or Fall): An Analysis of CSRF Defenses in Web FrameworksProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471846(370-385)Online publication date: 6-Oct-2021
    • (2021)Detecting Vulnerabilities of Web Application Using Penetration Testing and Prevent Using Threat ModelingAdvances in Electronics, Communication and Computing10.1007/978-981-15-8752-8_3(21-32)Online publication date: 29-Jan-2021
    • (2019)IUWT Based Token Authentication TechnologyThe Journal of Korean Institute of Information Technology10.14801/jkiit.2019.17.2.14317:2(143-150)Online publication date: 28-Feb-2019
    • (2019)Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities2019 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP.2019.00045(528-543)Online publication date: Jun-2019
    • (2018)Information Security Controls against Cross-Site Request Forgery Attacks on Software Applications of Automated SystemsJournal of Physics: Conference Series10.1088/1742-6596/1015/4/0420341015(042034)Online publication date: 22-May-2018
    • (2017)Surviving the WebACM Computing Surveys10.1145/303892350:1(1-34)Online publication date: 6-Mar-2017
    • (2017)Exploiting Trust: Stealthy Attacks Through Socioware and Insider ThreatsIEEE Systems Journal10.1109/JSYST.2015.238870711:2(415-426)Online publication date: Jun-2017
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media