Browser protection against cross-site request forgery

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2009, Pages 3-10

  Maes, Wim ^a   Heyman, Thomas ^a   Desmet, Lieven ^a   Joosen, Wouter ^a  

^a UNIVERSITY OF LEUVEN   (Belgium)

Author keywords

Cross Site Request Forgery; Run time policy enforcement; Web application security

Indexed keywords

CONFIGURABLE; CROSS-DOMAIN; END USERS; FIREFOX; POLICY ENFORCEMENT; RUNTIMES; WEB 2.0; WEB APPLICATION; WEB APPLICATION SECURITY; WEB REQUESTS;

NETWORK SECURITY; WORLD WIDE WEB;

WEB BROWSERS;

EID: 74049152806     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1655077.1655081     Document Type: Conference Paper

References (25)

1. Alexa top 500 global sites. http://www.alexa.com/topsites/global.
2. Most visited web sites. http://toolbar.netcraft.com/stats/topsites.
3. XPCOM - MDC. https://developer.mozilla.org/en/XPCOM, 2008.
4. CSS reference. http://www.w3schools.com/CSS/CSS-reference.asp, 2009.
5. HTML 4.01 / XHTML 1.0 Reference. http://www.w3schools.com/tags/, 2009.
6. Adobe. Adobe Flash Player 9 security, July 2008.
7. A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for Cross-Site Request Forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pages 75-88, 2008.
8. D. Crocker and P. Overell. Augmented BNF for syntax specifications: ABNF. http://tools.ietf.org/html/rfc5234, 2008.
9. D. Esposito. Take advantage of ASP.NET built-in features to fend off web attacks. http://msdn.microsoft.com/en-us/library/ms972969.aspx, January 2005.
10. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol - HTTP/1.1 (rfc2616). http://tools.ietf.org/html/rfc2616, 1999.
11. M. Finkle. Building on the Mozilla platform. Slides Toronto Developer Day, September 2008.
12. C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting browsers from DNS rebinding attacks. ACM Trans. Web, 3(1):1-26, 2009.
13. M. Johns and J. Winter. RequestRodeo: Client side protection against session riding. In In Proceedings of the OWASP Europe 2006 Conference, 2006.
14. N. Jovanovic, E. Kirda, and C. Kruegel. Preventing Cross Site Request Forgery attacks. In IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), Baltimore, MD, USA, August 2006.
15. A. Klein. Forging HTTP request headers with Flash. http://www. securityfocus.com/archive/1/441014, July 2006.
16. C. Linhart, A. Klein, R. Heled, and S. Orrin. HTTP request smuggling. Technical report, Watchfire, 2005.
17. T. Oda, G. Wurster, P. C. van Oorschot, and A. Somayaji. SOMA: mutual approval for included content in web pages. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, 2008.
18. OWASP. The ten most critical web application security vulnerabilities.
19. OWASP. CSRF Guard. http://www.owasp.org/index.php/CSRF-Guard, October 2008.
20. V. Raghvendra. Session tracking on the web. Internetworking, 3(1), 2000.
21. J. Samuel. Request Policy 0.5.3. http://www.requestpolicy.com.
22. The Mozilla foundation. XPIDL - MDC. https://developer.mozilla.org/en/ XPIDL, October 2007.
23. A. van Kesteren. Cross-origin resource sharing. http://www.w3.org/TR/ 2009/WD-cors-20090317/, March 2009.
24. M. Zalewski. Browser Security Handbook. 2008. http://code.google. com/p/browsersec/wiki/Main.
25. W. Zeller and E. W. Felten. Cross-Site Request Forgeries: Exploitation and prevention. Technical report, October 2008. http://www.freedom-to-tinker. com/sites/default/files/csrf.pdf.