Skip to main content
SpringerLink
Log in

Evolution of cross site request forgery attacks

  • SSTIC 2007 Best Academic Papers
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

This paper presents a state of the art of cross-site request forgery (CSRF) attacks and new techniques which can be used by potential intruders to make them more effective. Several attack scenarios on widely used web applications are discussed, and a vulnerability which affect most recent browsers is explained. This vulnerability makes it possible to perform effective CSRF attacks using the XMLHTTPRequest object. In addition, this paper describes a new technique that preserves the malicious code on the target system even after the browser window is closed. Lastly, best solutions to prevent these attacks are discussed to enable everyone (users, browser or Web applications developers, professionals in charge of IT security in an organization or a company) to prevent or manage this threat.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Watkins, P.: Cross-Site Request Forgeries (2001). http://www.tux.org/~peterw/csrf.txt

  2. Grossman, J.: (2006). http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00087.html

  3. Klein, A.: Forging HTTP request headers with Flash (2006). http://www.securityfocus.com/archive/1/441014/30/0/threaded

  4. Grossman, J., Niedzialkowski, T.C.: hacking Intranet Website from the outside (2006). http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf

  5. SPI dynamics: detecting, analyzing, and exploiting Intranet applications using JavaScript (2006). http://www.spidynamics.com/assets/documents/JSportscan.pdf

  6. John, M., Winter, J.: RequestRodeo: client Side Protection against Session Riding (2006). http://www.informatik.uni-hamburg.de/SVS/papers/2006_owasp_RequestRodeo.pdf

Download references

Author information

Authors and Affiliations

  1. Hervé Schauer Consultants, 4bis, rue de la gare, 92300, Levallois-Perret, France

    Renaud Feil & Louis Nyffenegger

Authors
  1. Renaud Feil
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Louis Nyffenegger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Louis Nyffenegger.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Feil, R., Nyffenegger, L. Evolution of cross site request forgery attacks. J Comput Virol 4, 61–71 (2008). https://doi.org/10.1007/s11416-007-0068-7

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-007-0068-7

Keywords

Search

Navigation