i-manager Publications

Cross-Site Request Forgery: Vulnerabilities and Defenses

Bharti Nagpal*, Naresh Chauhan**, Nanhay Singh***

* Assistant Professor, Department of CSE, AIACT&R, Govt of NCT of Delhi.

** Professor and Chairman in the Dept of CSE at YMCA University of Science & Technology.

*** Associate Professor, Department of CSE, AIACT&R, Govt of NCT of Delhi.

Periodicity:March - May'2014
DOI : https://doi.org/10.26634/jit.3.2.2778

Abstract

Cross-Site Request Forgery (CSRF) attack occurs when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site. These attacks have been called the “sleeping giant” of web-based vulnerabilities, because many sites on the internet fail to protect against them because they have been largely ignored by the web development and security communities. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. This attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context.

Keywords

Cross-Site Request Forgery, Web Application Firewall, HTTP, Referrer Header, Same - origin policy ,Session Identifier, Action formulator.

How to Cite this Article?

Nagpal, B., Chauhan, N., and Singh, N. (2014). Cross-Site Request Forgery: Vulnerabilities and Defenses. i-manager’s Journal on Information Technology. 3(2), 13-21. https://doi.org/10.26634/jit.3.2.2778

References

[1]. T. Schreiber. Session Riding: (2001). A Widespread Vulnerability in Today's Web Applications. http://www.securenet.de/papers/Session\_Riding.pdf.

[2]. C. Shiflett. (2001). Foiling Cross-Site Attacks, http://www.securityfocus.com/archive/1/191390.

[3]. P.W. Cross-Site Request Forgeries. (2001). http://www.securityfocus.com/archive/1/191390.

[4]. V. T. Lam, Spiros Antonatos, P. Akritidis, and Kostas G. Anagnostakis. (2006). Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proceedings of the 13th ACM Conference on Computer and Communication Security (CCS), October.

[5]. D. Endler. (2002). The Evolution of Cross Site Scripting Attacks. http://cgisecurity.com/lib/ XSS.pdf, May.

[6]. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. (1999). Hypertext Transfer Protocol – HTTP/1.1.

[7]. A. Barth, C. Jackson, and J. C. Mitchell. (2008). Robust Defences for Cross-Site Request Forgery. In CCS.

[8]. M. Johns and J. Winter. (2006). RequestRodeo: Client Side Protection against Session Riding. In F. Piessens, editor, Proceedings of the OWASP Europe 2006 Conference, refereed papers track, Report CW448, pages 5 – 17. Department Computer wetenschappen, Katholieke Universiteit Leuven, May.

[9]. Michael Barbaro and Tom Zeller Jr. (2006). A face is exposed for AOL searcher no. 4417749. The New York Times, August http://www.nytimes.com/2006/08/09/ technology/09aol.htm.

[10]. Greg Pass, Abdur Chowdhury, and Cayley Torgeson. (2006). A picture of search. In InfoScale '06: Proceedings of the 1st International Conference on Scalable Information Systems.

[11]. OWASP. https://www.owasp.org/index.php/CSRF, Cross-Site Request Forgery, Testing for CSRF (OWASP-SM- 005).

[12]. Hossain Shahriar and Mohammad Zulkernine, (2010). ”Client side detection of Cross-site request forgery attacks”,21st international symposium on software reliability Engineering , IEEE.

[13]. Boyan Chen, Pavol Zavarsky ,Ron Ruhl and Dale Lindskog, (2011). ”A study of the effectiveness of CSRF Guard”, IEEE.

	North Americas,UK, Middle East,Europe		India	Rest of world
	USD	EUR	INR	USD-ROW
Pdf	35	35	200	20
Online	35	35	200	15
Pdf & Online	35	35	400	25

Cross-Site Request Forgery: Vulnerabilities and Defenses

Abstract

Keywords

How to Cite this Article?

References

If you have access to this article please login to view the article or kindly login to purchase the article

Purchase Instant Access

Options for accessing this content: