Defeating cross-site request forgery attacks with browser-enforced authenticity protection

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 5628 LNCS, Issue , 2009, Pages 238-255

  Mao, Ziqing ^a   Li, Ninghui ^a   Molloy, Ian ^a  

^a Purdue University   (United States)

Author keywords

Browser security; Cross site request forgery; Web security

Indexed keywords

AUTHENTICATION TOKEN; BROWSER SECURITY; CROSS-SITE REQUEST FORGERY; FIREFOX; FORGERY ATTACKS; REAL-WORLD; WEB APPLICATION; WEB SECURITY; WEB-PAGE;

AUTHENTICATION; CRYPTOGRAPHY; INTERNET; WEBSITES;

WEB BROWSERS;

EID: 70350356658     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-03549-4_15     Document Type: Conference Paper

References (25)

1. The platform for privacy preferences project (p3p), http://www.w3.org/TR/ P3P
2. The web hacking incidents database (2008), http://www.webappsec.org/ projects/whid/byid-id-2008-05.shtml
3. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proc. ACM Conference on Computer and Communications Security (CCS) (October 2008)
4. Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP authentication: Basic and digest access authentication. RFC 2617 (June 1999), http://www.ietf.org/rfc/rfc2617.txt
5. Google. Load time analyzer 1.5, firefox add-on (March 2007), https://addons.mozilla.org/en-US/firefox/addon/3371
6. Group, N.W.: Hypertext transfer protocol - HTTP/1.1. RFC 2616 (June 1999), http://www.ietf.org/rfc/rfc2616.txt
7. Hansen, R., Stracener, T.: Xploiting google gadgets: Gmalware and beyond (August 2008)
8. Higgins, K.J.: CSRF vulnerability: A 'sleeping giant' (2006)
9. Jackson, C.: Defeating frame busting techniques (2005), http://www.crypto.stanford.edu/framebust/
10. Johns, M., Winter, J.: RequestRodeo: Client side protetion against session riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)
11. Jovanvoic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proceedings of the Second IEEE Conference on Security and Privacy in Communication Networks (September 2006)
12. Koch, P.: Frame busting, http://www.quirksmode.org/js/framebust.html
13. Kristol, D., Montulli, L.: HTTP state management mechanism. RFC 2965 (October 2000), http://www.ietf.org/rfc/rfc2965.txt
14. MSDN. Privacy in internet explorer 6, http://msdn.microsoft.com/en-us/ library/ms537343VS.85.aspx
15. Oda, T., Wurster, G., van Oorschot, P., Somayaji, A.: Soma: Mutual approval for included content in web pages. In: Proc. ACM Conference on Computer and Communications Security (CCS) (October 2008)
16. OWASP. Top ten most critical web application security vulnerabilties. Whitepaper (2007), http://www.owasp.org/index.php/Top-10-2007
17. phpBB. Create communities worldwide, http://www.phpbb.com
18. Shiflett, C.: Foiling cross-site attacks (October 2001), http://shiflett.org/articles/foiling-cross-site-attacks
19. Shiflett, C.: Security corner: Cross-site request forgeries (December 2004), http://shiflett.org/articles/cross-site-request-forgeries
20. US-CERT. Cross-site request forgery (CSRF) vulnerability in @mail webmail 4.51. CVE-2006-6701 (December 2006), http://nvd.nist.gov/nvd.cfm?cvename=CVE- 2006-6701
21. US-CERT. Multiple cross-site request forgery (CSRF) vulnerabilities in phpmyad-min before 2.9.1. CVE-2006-5116 (October 2006), http://nvd.nist.gov/nvd. cfm?cvename=CVE-2006-5116
22. US-CERT. Google gmail cross-site request forgery vulnerability. Vulnerability Note 571584 (October 2007), http://www.kb.cert.org/vuls/id/571584
23. US-CERT. Cross-site request forgery (CSRF) vulnerability in privmsg.php in ph-pbb 2.0.22. CVE-2008-0471 (January 2008), http://nvd.nist.gov/nvd.cfm? cvename=CVE-2008-0471
24. US-CERT. Cross-site request forgery (CSRF) vulnerability in the Linksys wrt54gl wireless-g broadband router. CVE-2008-0228 (January 2008), http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0228
25. P. W. Cross-site request forgery (2001), http://www.tux.org/~peterw/csrf. txt