论文信息 - CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests

CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests

Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security – or the lack thereof – making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic.

[1] Wouter Joosen,et al. Browser protection against cross-site request forgery , 2009, SecuCode '09.

[2] Cyril S. Ku,et al. Design Patterns , 2008, Wiley Encyclopedia of Computer Science and Engineering.

[3] Dave Crocker,et al. Augmented BNF for Syntax Specifications: ABNF , 1997, RFC.

[4] Collin Jackson,et al. Robust defenses for cross-site request forgery , 2008, CCS.

[5] Helen J. Wang,et al. The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[6] F. Piessens,et al. Requestrodeo: Client Side Protection against Session Riding , 2006 .

[7] Christopher Krügel,et al. Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[8] Michael Hicks,et al. Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[9] E. Felten,et al. Cross-Site Request Forgeries : Exploitation and Prevention , 2008 .

[10] Christopher G. Lasater,et al. Design Patterns , 2008, Wiley Encyclopedia of Computer Science and Engineering.

[11] Ninghui Li,et al. Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection , 2009, Financial Cryptography.

[12] S. Hadjiefthymiades,et al. Hypertext Transfer Protocol (HTTP) , 1996 .