Access Restriction

Author Jovanovic, Nenad ♦ Kirda, Engin ♦ Kruegel, Christopher
Source CiteSeerX
Content type Text
File Format PDF
Language English
Subject Domain (in DDC) Computer science, information & general works ♦ Data processing & computer science
Subject Keyword Web Increase ♦ Performed Action ♦ Manual Effort ♦ Web Application Developer ♦ Server-side Proxy ♦ Xsrf Attack ♦ Many Web Application ♦ Automatic Protection ♦ Cross Site Request Forgery Attack ♦ Web Application Security ♦ New Security Problem ♦ Arbitrary Http Request ♦ Defense Technique ♦ Authenticated User ♦ Mitigation Approach ♦ Web-based Information System ♦ Previous Work ♦ Sql Injection Attack ♦ Cross Site Request Forgery ♦ Victim User ♦ Popular Open-source Web Application ♦ Much Attention ♦ Indispensable Part ♦ Web Application ♦ Experimental Result ♦ Cross Site Scripting
Description The web has become an indispensable part of our lives. Unfortunately, as our dependency on the web increases, so does the interest of attackers in exploiting web applications and web-based information systems. Previous work in the field of web application security has mainly focused on the mitigation of Cross Site Scripting (XSS) and SQL injection attacks. In contrast, Cross Site Request Forgery (XSRF) attacks have not received much attention. In an XSRF attack, the trust of a web application in its authenticated users is exploited by letting the attacker make arbitrary HTTP requests on behalf of a victim user. The problem is that web applications typically act upon such requests without verifying that the performed actions are indeed intentional. Because XSRF is a relatively new security problem, it is largely unknown by web application developers. As a result, there exist many web applications that are vulnerable to XSRF. Unfortunately, existing mitigation approaches are time-consuming and error-prone, as they require manual effort to integrate defense techniques into existing systems. In this paper, we present a solution that provides a completely automatic protection from XSRF attacks. More precisely, our approach is based on a server-side proxy that detects and prevents XSRF attacks in a way that is transparent to users as well as to the web application itself. We provide experimental results that demonstrate that we can use our prototype to secure a number of popular open-source web applications, without negatively affecting their behavior.
Educational Role Student ♦ Teacher
Age Range above 22 year
Educational Use Research
Education Level UG and PG ♦ Career/Technical Study
Learning Resource Type Article
Publisher Date 2006-01-01
Publisher Institution In Proceedings of the Second IEEE Conference on Security and Privacy in Communications Networks (SecureComm