Automatic and precise client-side protection against CSRF attacks

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 6879 LNCS, Issue , 2011, Pages 100-116

  De Ryck, Philippe ^a   Desmet, Lieven ^a   Joosen, Wouter ^a   Piessens, Frank ^a  

^a UNIVERSITY OF LEUVEN   (Belgium)

Author keywords

browser security; CSRF; web security

Indexed keywords

AUTHENTICATION; HTTP;

AUTHENTICATION INFORMATION; BREAKINGS; BROWSER SECURITY; CLIENT SIDES; CROSS SITE REQUEST FORGERY; FORGERY ATTACKS; SINGLE SIGN ON; SINGLE SIGNS-ON; THIRD PARTY PAYMENTS; WEB SECURITY;

MODEL CHECKING;

EID: 80053028570     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-23822-2_6     Document Type: Conference Paper

References (19)

1. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: IEEE Computer Security Foundations Symposium, pp. 290-304 (2010)
2. Barth, A., Jackson, C., Hickson, I.: The web origin concept (November 2010), http://tools.ietf.org/html/draft-abarth-origin-09
3. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: 15th ACM Conference on Computer and Communications Security, CCS 2008 (2008)
4. Burns, J.: Cross site reference forgery: An introduction to a common web application weakness. In: Security Partners, LLC (2005)
5. De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent client-side mitigation of malicious cross-domain requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18-34. Springer, Heidelberg (2010)
6. De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: Automatic and precise clientside protection against csrf attacks - downloads (2011), https://distrinet.cs.kuleuven.be/software/CsFire/esorics2011/
7. Django. Cross site request forgery protection (2011), http://docs.djangoproject.com/en/dev/ref/contrib/csrf/
8. Informaction Forums. Which is the best way to configure ABE? (July 2010), http://forums.informaction.com/viewtopic.php?f=23\&t=4752
9. Johns, M., Winter, J.: RequestRodeo: client side protection against session riding. In: Proceedings of the OWASP Europe 2006 Conference, refereed papers track, Report CW448, pp. 5-17 (2006)
10. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), pp. 1-10 (2006)
11. Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against cross-site request forgery. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, pp. 3-10. ACM, New York (2009)
12. Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238-255. Springer, Heidelberg (2009)
13. Giorgio Maone. Noscript 2.0.9.9 (2011), http://noscript.net/
14. Ruby on Rails. Actioncontroller::requestforgeryprotection (2011), http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection. html
15. Owasp. Csrf guard (October 2008), http://www.owasp.org/index.php/CSRF- Guard
16. Samuel, J.: Requestpolicy 0.5.20 (2011), http://www.requestpolicy.com
17. Shahriar, H., Zulkernine, M.: Client-side detection of cross-site request forgery attacks. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering (ISSRE), pp. 358-367 (November 2010)
18. Zalewski, M.: Browser security handbook (2010), http://code.google.com/p/ browsersec/wiki/Main
19. Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University (2008)