No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Enhanced CSRF Defense Using a Secret Value Between Server and User
Abstract
Cross-Site Request Forgery is one of the attack techniques occurring in today`s Web Applications. It allows an unauthorized attacker to send authorized requests to Web Server through end-users` browsers. These requests are approved by the Web Server as normal requests therefore unexpected results arise. The problem is that the Web Server verifies an end-user using his Cookie information. In this paper, we propose an enhanced CSRF defense scheme which uses Page Identifier and user password`s hash value in addition to the Cookie value which is used to verify the normal requests. Our solution is simple to implement and solves the problem of the token disclosure when only a random token is used for normal request verification.
Open-source software is widely being adopted by developers due to their ease of accessibility over the internet. The increasing popularity of this kind of software development model has led to a huge number of such projects that exist on the internet. Since it is open access and the code is freely distributed, people usually face security issues when using them. The number of developers involved in such projects is thousands in number and likewise, the number of users using such projects is million in numbers. The purpose of this work is to discuss the security challenges and vulnerabilities of web-based open-source software systems. The work starts with a discussion of the common security assessment methodologies usually practiced by development teams to ensure security in such kind of software. The aim of this work is to create an updated reference or guide for developers wanting to use web-based open source systems securely.
Today web applications are becoming the prime target for cyber-attacks. Web attacks are growing in numbers, with most of organizations in a broad survey reporting that they had recently suffered Web attacks.Last few years have shown a significant increase in the number of web-based attacks. Structured Query Language (SQL) injection, Cross Site Scripting (XSS), Insecure Direct Object Reference, Command Injection, Session manipulation and Parameter or URL Tempering are some of the major attacks which are application layer attacks. This paper demonstrates how attackers are discovered, exploit application-level vulnerabilities in a large number of web applications and present the different techniques to prevent web application attacks. Using this research paper researcher can examine how web application firewall is better technique for preventing web application vulnerability. This approach allows us to secure our web application.
Cross-Site Request Forgery (CSRF) vulnerability is extremely widespread and one of the top ten Web application vulnerabilities of the Open Web Application Security Project (OWASP). In this paper, we explore the CSRF vulnerabilities, illustrate the real-world CSRF attack, and present novel CSRF attack tree models. The threat models provide for exploring, understanding, and validating security protection features in realistic web application scenarios.
Internet Explorer is the popular internet browser the most in domestic. In some version of Internet Explorer, user information could be leaked cause CORS(Cross-Origin Resource Sharing) Internet Explorer support. Different before, without setup a malicious program, attacker can get the user information even account information, credit card usage list and user information with SNS or internet portal site logged in regardless of secure program. Not only Internet Explorer but also mobile browser, it could be. In this paper, we make study of the potential disclosure of user information by attack using CORS, second attack and the way to improvement of vulnerability of CORS.
Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the security community members. In the same way, a plethora of more or less effective defense techniques have been proposed, addressing the causes and effects of XSS vulnerabilities. NoScript, and disabling scripting code in non-browser applications such as e-mail clients or instant messengers.
As a result, an adversary often can no longer inject or even execute arbitrary scripting code in several real-life scenarios.
In this paper, we examine the attack surface that remains after XSS and similar scripting attacks are supposedly mitigated by preventing an attacker from executing JavaScript code. We address the question of whether an attacker really needs JavaScript or similar functionality to perform attacks aiming for information theft. The surprising result is that an attacker can also abuse Cascading Style Sheets (CSS) in combination with other Web techniques like plain HTML, inactive SVG images or font files. Through several case studies, we introduce the so called scriptless attacks and demonstrate that an adversary might not need to execute code to preserve his ability to extract sensitive information from well protected websites. More precisely, we show that an attacker can use seemingly benign features to build side channel attacks that measure and exfiltrate almost arbitrary data displayed on a given website.
We conclude this paper with a discussion of potential mitigation techniques against this class of attacks. In addition, we have implemented a browser patch that enables a website to make a vital determination as to being loaded in a detached view or pop-up window. This approach proves useful for prevention of certain types of attacks we here discuss.
Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker's domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these "self-exfiltration" attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.
Recently, for secure software development, static analysis tools have been used mostly to analyze the source code of the software and identify software weaknesses caused of vulnerabilities. In order to select the optimal static analysis tool, both weaknesses rules and analysis capabilities of the tool are important factors. Therefore, in this paper we propose the test codes developed for evaluating the rules and analysis capabilities of the tools. The test codes to involve 43 weaknesses such as SQL injection etc. can be used to evaluate the adequacy of the rules and analysis capabilities of the tools.
If the SW weaknesses, which are the main cause of cyber breaches, are analyzed and removed in the SW development stages, the cyber breaches can be prevented effectively. In case of Domestic, removing SW weaknesses by applying Secure SDLC(SW Development Life Cycle) has become mandatory. In order to analyze and remove the SW weaknesses effectively, reliable SW weakness diagnostic tools are required. Therefore, we propose the functional requirements of diagnostic tool which is suitable for the domestic environment and the evaluation methodology which can assure the reliability of the diagnostic tools. Then, to analyze the effectiveness of the proposed evaluation framework, both demonstration results and process are presented.
Cross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today. These attacks exploit ambient authority in browsers (eg cookies, HTTP authentication state), turning them into confused deputies and causing undesired side effects on vulnerable web sites. Existing defenses against CSRFs fall short in their coverage and/or ease of deployment. In this paper, we present a browser/server solution, Allowed Referrer Lists (ARLs), that addresses the root cause of CSRFs and removes ambient authority for participating web sites that want to be resilient to CSRF attacks. Our solution is easy for web sites to adopt and does not affect any functionality on non-participating sites. We have implemented our design in Firefox and have evaluated it with real-world sites. We found that ARLs successfully block CSRF attacks, are simpler to implement than existing defenses, and do not significantly impact browser performance.
Cross-site request forgery (CSRF/XSRF) is a serious vulnerability in Web 2.0 environment. With CSRF, an adversary can spoof the payload of an HTTP request and entice the victim's browser to transmit an HTTP request to the web server. Consequently, the server cannot determine legitimacy of the HTTP request. This paper presents a light-weight CSRF prevention method by introducing a quarantine system to inspect suspicious scripts on the server-side. Instead of using script filtering and rewriting approach, this scheme is based on a new labeling mechanism (we called it Content Box) which enables the web server to distinguish the malicious requests from the harmless requests without the need to modify the user created contents (UCCs). Consequently, a malicious request can be blocked when it attempts to access critical web services that was defined by the web administrator. To demonstrate the effectiveness of the proposed scheme, the proposed scheme was implemented and the performance was evaluated.
A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF vulnerabilities are very common, and consequences of such attacks are most serious with flnancial web- sites. We recognize that CSRF attacks are an example of the confused deputy problem, in which the browser is viewed by websites as the deputy of the user, but may be tricked into sending requests that violate the user's intention. We propose Browser-Enforced Authenticity Protection (BEAP), a browser-based mechanism to defend against CSRF attacks. BEAP infers whether a request re∞ects the user's intention and whether an authentication token is sensitive, and strips sensitive authentication tokens from any request that may not re∞ect the user's intention. The inference is based on the information about the request (e.g., how the request is triggered and crafted) and heuristics derived from analyzing real-world web applications. We have implemented BEAP as a Firefox browser extension, and show that BEAP can efiectively defend against the CSRF attacks and does not break the existing web applications.
Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new vari- ation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the vic- tim into the honest web site as the attacker. The severity of a login CSRF vulnerability varies by site, but it can be as severe as a cross-site scripting vulnerability. We detail three major CSRF defense techniques and find shortcomings with each technique. Although the HTTP Referer header could provide an eective defense, our experimental obser- vation of 283,945 advertisement impressions indicates that the header is widely blocked at the network layer due to pri- vacy concerns. Our observations do suggest, however, that the header can be used today as a reliable CSRF defense over HTTPS, making it particularly well-suited for defend- ing against login CSRF. For the long term, we propose that browsers implement the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns.
Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security { or the lack thereof { making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading eect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To ll this gap, this paper makes three con- tributions: rst, a thorough trac analysis on real-world trac quanti- es the amount of cross-domain trac and identies its specic proper- ties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evalu- ation was done using specic
CSRF defense using page identifier and sessionID
- J H Park
- I Y Jung
- S J Kim
J. H. Park, I. Y. Jung, and S. J. Kim, "CSRF
defense using page identifier and sessionID,"
UCWIT(2013), Daegu, Korea, Dec. 2013.
The Ten Most Critical Web Application Security Risks
OWASP, The Ten Most Critical Web
Application Security Risks(2013), Retrieved
Dec., 30, 2013, from https://www.owasp.org/in
dex.php/Category:OWASP_Top_Ten_Project.