Abstract
This paper presents a state of the art of cross-site request forgery (CSRF) attacks and new techniques which can be used by potential intruders to make them more effective. Several attack scenarios on widely used web applications are discussed, and a vulnerability which affect most recent browsers is explained. This vulnerability makes it possible to perform effective CSRF attacks using the XMLHTTPRequest object. In addition, this paper describes a new technique that preserves the malicious code on the target system even after the browser window is closed. Lastly, best solutions to prevent these attacks are discussed to enable everyone (users, browser or Web applications developers, professionals in charge of IT security in an organization or a company) to prevent or manage this threat.
Similar content being viewed by others
References
Watkins, P.: Cross-Site Request Forgeries (2001). http://www.tux.org/~peterw/csrf.txt
Grossman, J.: (2006). http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00087.html
Klein, A.: Forging HTTP request headers with Flash (2006). http://www.securityfocus.com/archive/1/441014/30/0/threaded
Grossman, J., Niedzialkowski, T.C.: hacking Intranet Website from the outside (2006). http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf
SPI dynamics: detecting, analyzing, and exploiting Intranet applications using JavaScript (2006). http://www.spidynamics.com/assets/documents/JSportscan.pdf
John, M., Winter, J.: RequestRodeo: client Side Protection against Session Riding (2006). http://www.informatik.uni-hamburg.de/SVS/papers/2006_owasp_RequestRodeo.pdf
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Feil, R., Nyffenegger, L. Evolution of cross site request forgery attacks. J Comput Virol 4, 61–71 (2008). https://doi.org/10.1007/s11416-007-0068-7
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-007-0068-7