CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests | SpringerLink
Skip to main content
Springer Nature Link
Log in

CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5965))

Included in the following conference series:

  • 1182 Accesses

Abstract

Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security – or the lack thereof – making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Adobe. Adobe Flash Player 9 security (July 2008)

    Google Scholar 

  2. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for Cross-Site Request Forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 75–88 (2008)

    Google Scholar 

  3. Crocker, D., Overell, P.: Augmented BNF for syntax specifications: ABNF (2008), http://tools.ietf.org/html/rfc5234

  4. Esposito, D.: Take advantage of ASP.NET built-in features to fend off web attacks (January 2005), http://msdn.microsoft.com/en-us/library/ms972969.aspx

  5. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1, rfc2616 (1999), http://tools.ietf.org/html/rfc2616

  6. Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns. Addison-Wesley, Reading (1995)

    Google Scholar 

  7. Chromium Developer Documentation, http://dev.chromium.org/developers/design-documents/process-models

  8. Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW 2007: Proceedings of the 16th international conference on World Wide Web (2007)

    Google Scholar 

  9. Johns, M., Winter, J.: RequestRodeo: Client side protection against session riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)

    Google Scholar 

  10. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing Cross Site Request Forgery attacks. In: IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), Baltimore, MD, USA (August 2006)

    Google Scholar 

  11. Klein, A.: Forging HTTP request headers with Flash (July 2006), http://www.securityfocus.com/archive/1/441014

  12. Linhart, C., Klein, A., Heled, R., Orrin, S.: HTTP request smuggling. Technical report, Watchfire (2005)

    Google Scholar 

  13. Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against Cross-Site Request Forgery. In: Workshop on Secure Execution of Untrusted Code (SecuCode), Chicago, IL, USA (November 2009)

    Google Scholar 

  14. Mao, Z., Li, N., Molloy, I.: Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection. LNCS. Springer, Heidelberg (2001)

    Google Scholar 

  15. OWASP. The ten most critical web application security vulnerabilities

    Google Scholar 

  16. OWASP. CSRF Guard (October 2008), http://www.owasp.org/index.php/CSRF_Guard

  17. Raghvendra, V.: Session tracking on the web. Internetworking 3(1) (2000)

    Google Scholar 

  18. Samuel, J.: Request Policy 0.5.8, http://www.requestpolicy.com

  19. van Kesteren, A.: Cross-origin resource sharing (March 2009), http://www.w3.org/TR/2009/WD-cors-20090317/

  20. Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The Multi-Principal OS Construction of the Gazelle Web Browser. Microsoft Research Technical Report, MSR-TR-2009-16 (2009)

    Google Scholar 

  21. XPCOM - MDC (2008), https://developer.mozilla.org/en/XPCOM

  22. Zalewski, M.: Browser Security Handbook (2008), http://code.google.com/p/browsersec/wiki/Main

  23. Zeller, W., Felten, E.W.: Cross-Site Request Forgeries: Exploitation and prevention. Technical report (October 2008), http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf

Download references

Author information

Authors and Affiliations

  1. IBBT-DistriNet, Katholieke Universiteit Leuven, 3001, Leuven, Belgium

    Philippe De Ryck, Lieven Desmet, Thomas Heyman, Frank Piessens & Wouter Joosen

Authors
  1. Philippe De Ryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lieven Desmet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas Heyman
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento Ingegneria e Scienza dell’Informazione, Università di Trento, Via Sommarive 14, 38050, Povo (Trento), Italy

    Fabio Massacci

  2. Department of Computer Science, Rice University, 3122 Duncan Hall, 6100 Main Street, TX 77005, Houston, USA

    Dan Wallach

  3. Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Den Dolech 2, 5612, Eindhoven, AZ, The Netherlands

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W. (2010). CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2010. Lecture Notes in Computer Science, vol 5965. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11747-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-11747-3_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-11746-6

  • Online ISBN: 978-3-642-11747-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation