Annual Computer Security Applications Conference 2011 Technical Track Papers

Full Program »

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

Cross-Site Request Forgery (CSRF) is a web application vulnerability which
allows an attacker to submit requests to a web application using the
victim's credentials. A successful attack can lead to compromised
accounts, stolen bank funds or information leaks. It is one of the most
common web application vulnerabilities, and is the 4th most important
vulnerability in the CWE/SANS Top 25 list. This paper presents
a new server-side defense against CSRF attacks. Our solution,
called jCSRF, operates as a server-side proxy, and
does not require any server or browser modifications.
Thus, it can be deployed by a site administrator without requiring
access to web application source code, or the need to understand it.
Moreover, protection is achieved without requiring web-site users to
make use of a specific browser or a browser plug-in.
Unlike previous server-side solutions, jCSRF addresses two
key aspects of Web 2.0: extensive use of client-side scripts that
can create requests to URLs that did not originally appear in
the HTML page returned to the client; and services provided
by two or more collaborating web sites that need to make
cross-domain requests.

Author(s):

Riccardo Pelizzi    
Stony Brook University
United States

R Sekar    
Stony Brook University
United States

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC