Chapter 20 – CSRF and Big Data: Rethinking Cross-Site Request Forgery in Light of Big Data
暂无分享,去创建一个
In the realm of Big Data analytics, a critical yet often overlooked issue is that of (big) data integrity and accuracy. Namely, the largest generators of Big Data—the major social and media sites—are known to be the most frequent and most attractive victims to various forms of security attacks and social engineering ploys. Almost by rule, the ultimate collateral victim of these attacks is the contextual integrity of the data being stored at or collected out of the target sites. One such form of attack, which is particularly potent when it comes to the compromise of contextual data integrity, is Cross-Site Request Forgery (CSRF).
The goal of our work was to examine the current state of CSRF defense in some of the major social and media sites. We have discovered that, even though it has been more than a decade since CSRF was first identified, many of these sites (including YouTube, LinkedIn, and Wikipedia) still remain vulnerable to some easily exploitable forms of CSRF. We have also learned that these particular forms of CSRF exploits are not recognizable as dangerous, even by some of the leading URL scanning tools. Finally, we have discovered that the three leading browsers employ slightly different sets of measures against CSRF, which means the CSRF attack vector may need to be configured adaptively per browser by the adversary.
[1] Collin Jackson,et al. Robust defenses for cross-site request forgery , 2008, CCS.
[2] Roshan Shaikh. Defending Cross Site Reference Forgery (CSRF) Attacks on Contemporary Web Applications Using a Bayesian Predictive Model , 2013 .
[3] Helen J. Wang,et al. Lightweight server support for browser-based CSRF protection , 2013, WWW.
[4] J. Manyika. Big data: The next frontier for innovation, competition, and productivity , 2011 .