Sciweavers

ESORICS
2011
Springer

Automatic and Precise Client-Side Protection against CSRF Attacks

12 years 11 months ago
Automatic and Precise Client-Side Protection against CSRF Attacks
A common client-side countermeasure against Cross Site Request Forgery (CSRF) is to strip session and authentication information from malicious requests. The difficulty however is in determining when a request is malicious. Existing client-side countermeasures are typically too strict, thus breaking many existing websites that rely on authenticated cross-origin requests, such as sites that use third-party payment or single sign-on solutions. The contribution of this paper is the design, implementation and evaluation of a request filtering algorithm that automatically and precisely identifies expected cross-origin requests, based on whether they are preceded by certain indicators of collaboration between sites. We formally show through bounded-scope model checking that our algorithm protects against CSRF attacks under one specific assumption about the way in which good sites collaborate cross-origin. We provide experimental evidence that this assumption is realistic: in a data set of...
Philippe De Ryck, Lieven Desmet, Wouter Joosen, Fr
Added 20 Dec 2011
Updated 20 Dec 2011
Type Journal
Year 2011
Where ESORICS
Authors Philippe De Ryck, Lieven Desmet, Wouter Joosen, Frank Piessens
Comments (0)