Robust defenses for cross-site request forgery

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the honest web site as the attacker. The severity of a login CSRF vulnerability varies by site, but it can be as severe as a cross-site scripting vulnerability. We detail three major CSRF defense techniques and find shortcomings with each technique. Although the HTTP Referer header could provide an effective defense, our experimental observation of 283,945 advertisement impressions indicates that the header is widely blocked at the network layer due to privacy concerns. Our observations do suggest, however, that the header can be used today as a reliable CSRF defense over HTTPS, making it particularly well-suited for defending against login CSRF. For the long term, we propose that browsers implement the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns.

[1]  Abdur Chowdhury,et al.  A picture of search , 2006, InfoScale '06.

[2]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[3]  Neil Daswani,et al.  Foundations of Security - What Every Programmer Needs to Know , 2007 .

[4]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[5]  David A. Wagner,et al.  Dynamic pharming attacks and locked same-origin policies for web browsers , 2007, CCS '07.

[6]  Dan Boneh,et al.  Protecting browsers from DNS rebinding attacks , 2009, ACM Trans. Web.

[7]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[8]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[9]  F. Piessens,et al.  Requestrodeo: Client Side Protection against Session Riding , 2006 .

[10]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[11]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[12]  Sean W. Smith,et al.  WSKE: Web Server Key Enabled Cookies , 2007, Financial Cryptography.

[13]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[14]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[15]  Massimo Barbaro,et al.  A Face Is Exposed for AOL Searcher No , 2006 .

[16]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[17]  Michael Bächle,et al.  Ruby on Rails , 2006, Softwaretechnik-Trends.

[18]  Dan S. Wallach,et al.  Web Spoofing: An Internet Con Game , 1997 .

[19]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[20]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.