Robust defenses for cross-site request forgery
作者: Adam Barth , Collin Jackson , John C. Mitchell
关键词:
摘要: Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present new variation on CSRF attacks, login CSRF, in which the attacker forges cross-site request to form, logging victim into honest as attacker. The severity of vulnerability varies by site, but it can be severe scripting We detail three major defense techniques and find shortcomings with each technique. Although HTTP Referer header could provide an effective defense, our experimental observation 283,945 advertisement impressions indicates that blocked at network layer due privacy concerns. Our observations do suggest, however, used today reliable over HTTPS, making particularly well-suited for defending against CSRF. For long term, propose browsers implement Origin header, provides security benefits while responding
acm.org
ic.ac.uk
core.ac.uk
stanford.edu 
adambarth.com 参考文章(19)
Justus Winter, Martin Johns, RequestRodeo: Client Side Protection against Session Riding ,(2006)
Seth Fogie, Anton Rager, Robert Hansen, Petko D. Petkov, Jeremiah Grossman, XSS Attacks: Cross Site Scripting Exploits and Defense ,(2007)
Neil Daswani, Anita Kesavan, Christoph Kern, Foundations of Security: What Every Programmer Needs to Know ,(2007)
Luis von Ahn, Manuel Blum, Nicholas J. Hopper, John Langford, CAPTCHA: using hard AI problems for security theory and application of cryptographic techniques. pp. 294- 311 ,(2003) , 10.1007/3-540-39200-9_18
Chris Masone, Kwang-Hyun Baek, Sean Smith, WSKE: web server key enabled cookies financial cryptography. ,vol. 4886, pp. 294- 306 ,(2007) , 10.1007/978-3-540-77366-5_28
H. Frystyk, L. Masinter, J. Mogul, J. Gettys, R. Fielding, P. Leach, T. Berners-Lee, Hypertext Transfer Protocol -- HTTP/1.1 acm conference on hypertext. ,vol. 2068, pp. 1- 162 ,(1997)
L. Montulli, D. Kristol, HTTP State Management Mechanism RFC2109. ,vol. 2109, pp. 1- 21 ,(1997)
Greg Pass, Abdur Chowdhury, Cayley Torgeson, A picture of search scalable information systems. pp. 1- ,(2006) , 10.1145/1146847.1146848
V. T. Lam, S. Antonatos, P. Akritidis, K. G. Anagnostakis, Puppetnets Proceedings of the 13th ACM conference on Computer and communications security - CCS '06. pp. 221- 234 ,(2006) , 10.1145/1180405.1180434
Michael Bächle, Paul Kirchberg, Ruby on Rails IEEE Software. ,vol. 24, pp. 105- 108 ,(2007) , 10.1109/MS.2007.176