Client-side detection of cross-site request forgery attacks

Proceedings - International Symposium on Software Reliability Engineering, ISSRE

Volumn , Issue , 2010, Pages 358-367

  Shahriar, Hossain ^a   Zulkernine, Mohammad ^a  

^a QUEEN S UNIVERSITY   (Canada)

Author keywords

Browser security; Client side attack detection; Cross site request forgery; Cross site scripting

Indexed keywords

ATTACK DETECTION; BENCHMARK TESTS; BROWSER SECURITY; CLIENT-SIDE ATTACK DETECTION; CROSS-SITE REQUEST FORGERY; CROSS-SITE SCRIPTING; DETECTION METHODS; EVALUATION RESULTS; FIREFOX; FORGERY ATTACKS; INPUT FIELD; PLUG-INS; TEST CASE; THIRD PARTIES; WEB PAGE;

COMPUTER SOFTWARE SELECTION AND EVALUATION; JAVA PROGRAMMING LANGUAGE; QUALITY ASSURANCE; VISIBILITY; WEB BROWSERS; WEBSITES;

SOFTWARE RELIABILITY;

EID: 79952028537     PISSN: 10719458     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ISSRE.2010.12     Document Type: Conference Paper

References (27)

1. OWASP CSRFGuard Project, Accessed from http://www.owasp.org (May 2010).
2. th ACM Conference on Computer and Communications Security, Alexandria, Virginia, October 2008.
3. W. Maes, T. Heyman, L. Desmet, and W. Joosen, "Browser Protection against Cross-Site Request Forgery," In Proc. of the Workshop on Secure Execution of Untrusted Code, Chicago, USA, November 2009 pp. 3-10.
4. N. Jovanovic, E. Krida, and C. Kruegel, "Preventing Cross Site Request Forgery Attacks," In Proc. of the Securecomm Workshops, Baltimore, USA, August 2006.
5. Request Headers in HTTP Protocol, Accessed from http://www.w3.org/ Protocols/HTTP/HTRQ-Headers.htm
6. Cross Site Request Forgery, http://www.owasp.org/index.php/Cross-Site- Request-Forgery-(CSRF)
7. Creating Sandboxed HTTP Connections, https://developer.mozilla.org/en/ Creating-Sandboxed-HTTP-Connections.
8. Basic HTML Data Types, Accessed from http://www.w3.org/TR/html4/types. html.
9. HTML 4.01 Specification, Accessed from http://www.w3.org/TR/REC-html40
10. JavaScript Security in Mozilla, Accessed from www.mozilla.org/projects/ security/components/jssec.html
11. J. Burns, Cross Site Request Forgery: An Introduction to A Common Web Application Weakness, White paper, Information Security Partners LLC.
12. Open Source Vulnerability Database (OSVDB), Accessed from http://osvdb.org.
13. LinPHA PHP Photo Gallery, Accessed from http://sourceforge.net/projects/ linpha.
14. nd International Symposium on Engineering Secure Software and Systems, Pisa, Italy, Feb 2010, pp. 18-34.
15. W. Zeller and E. Felten, Cross-Site Request Forgeries: Exploitation and Prevention, Technical Report, Princeton University, October 2008, Accessed from http://citp.princeton.edu/csrf.
16. M. Johns and J. Winter, "RequestRodeo: Client Side Protection against Session Riding," In Proc. of the OWASP Europe Conference, Leuven, Belgium, May 2006, pp. 5-17.
17. OWASP- Top 10-2010, The 10 Most Critical Web Application Security Risk, Accessed from http://www.owasp.org
18. Cross-Origin Resource Sharing, Accessed from http://www.w3.org/TR/cors
19. G. Zuchlinski, "The Anatomy of Cross Site Scripting", November 2003.
20. HTTP State Management Mechanism, Accessed from http://tools.ietf.org/ html/rfc2965
21. IBM Rational AppScan, Accessed from http://www-01.ibm.com/software/ awdtools/appscan/developer
22. Acunetix Web Vulnerability Scanner, http://www.acunetix.com/ vulnerability-scanner/
23. Testing for CSRF, Accessed from http://www.owasp.org
24. http://www.owasp.org/index.php/Guide-to-CSRF
25. DotProject, Open Source Project and Task Management Software, Accessed from www.dotproject.net
26. th International Conference Financial Cryptography and Data Security, Barbados, February 2009, pp. 238-255.
27. K. Jayaraman, G. Lewandowski, and S. Chapin, Memento: A Framework for Hardening Web Applications Using Behavior Models, Center for Systems Assurance Technical Report CSA-TR-2008-11-01, Syracuse University, NY, USA.