Abstract
A common-sense CSRF attack involves more than one domain. In this paper, we’ll cover both cross-domain and same-domain CSRF which overlaps with Cross-Site Scripting (XSS). If a XSS instructs victims to send requests to the same domain, it is also a CSRF–same-domain CSRF. Such sort of XSS-CSRF exists extensively and even high profile sites cannot always avoid such vulnerabilities.
There exist mainly 3 defenses: Referer Header checking, secret validation token and CAPTCHA. The Referer Header is sometimes missing [1], the secret token becomes totally futile when XSS exists and the CAPTCHA is too bothering. Besides, [2-3] brings about some client-taking actions yet pure client checking is not credible enough from server side perspective. And they still suffer from the Referer-missing problem. Moreover, all of [1-3] have nothing to do with same-domain CSRF. So a client-initialized and server-accomplished defense mechanism (CSDM) is proposed.
This work is supported by the National Natural Science Foundation of China under Grant No. 60970140, No.60773135 and No.90718007.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: 15th ACM Conference on Computer and Communications Security (2008)
Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: 13th International Conference on Financial Cryptography and Data Security (2009)
Maes, W., Heyman, T., Desmet, L., et al.: Browser protection against cross-site request forgery. In: 1st ACM Workshop on Secure Execution of Untrusted Code, Co-located with the 16th ACM Computer and Communications Security Conference (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Xing, L., Zhang, Y., Chen, S. (2010). A Client-Based and Server-Enhanced Defense Mechanism for Cross-Site Request Forgery. In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_25
Download citation
DOI: https://doi.org/10.1007/978-3-642-15512-3_25
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15511-6
Online ISBN: 978-3-642-15512-3
eBook Packages: Computer ScienceComputer Science (R0)