Cross-Site Request Forgery: Vulnerabilities and Defenses

Bharti Nagpal*, Naresh Chauhan**, Nanhay Singh***
* Assistant Professor, Department of CSE, AIACT&R, Govt of NCT of Delhi.
** Professor and Chairman in the Dept of CSE at YMCA University of Science & Technology.
*** Associate Professor, Department of CSE, AIACT&R, Govt of NCT of Delhi.
Periodicity:March - May'2014
DOI : https://doi.org/10.26634/jit.3.2.2778

Abstract

Cross-Site Request Forgery (CSRF) attack occurs when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site. These attacks have been called the “sleeping giant” of web-based vulnerabilities, because many sites on the internet fail to protect against them because they have been largely ignored by the web development and security communities. The impact of a successful cross-site request forgery attack is limited to the capabilities exposed by the vulnerable application. This attack could result in a transfer of funds, changing a password, or purchasing an item in the user's context.

Keywords

Cross-Site Request Forgery, Web Application Firewall, HTTP, Referrer Header, Same - origin policy ,Session Identifier, Action formulator.

How to Cite this Article?

Nagpal, B., Chauhan, N., and Singh, N. (2014). Cross-Site Request Forgery: Vulnerabilities and Defenses. i-manager’s Journal on Information Technology. 3(2), 13-21. https://doi.org/10.26634/jit.3.2.2778

References

[1]. T. Schreiber. Session Riding: (2001). A Widespread Vulnerability in Today's Web Applications. http://www.securenet.de/papers/Session\_Riding.pdf.
[2]. C. Shiflett. (2001). Foiling Cross-Site Attacks, http://www.securityfocus.com/archive/1/191390.
[3]. P.W. Cross-Site Request Forgeries. (2001). http://www.securityfocus.com/archive/1/191390.
[4]. V. T. Lam, Spiros Antonatos, P. Akritidis, and Kostas G. Anagnostakis. (2006). Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proceedings of the 13th ACM Conference on Computer and Communication Security (CCS), October.
[5]. D. Endler. (2002). The Evolution of Cross Site Scripting Attacks. http://cgisecurity.com/lib/ XSS.pdf, May.
[6]. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. (1999). Hypertext Transfer Protocol – HTTP/1.1.
[7]. A. Barth, C. Jackson, and J. C. Mitchell. (2008). Robust Defences for Cross-Site Request Forgery. In CCS.
[8]. M. Johns and J. Winter. (2006). RequestRodeo: Client Side Protection against Session Riding. In F. Piessens, editor, Proceedings of the OWASP Europe 2006 Conference, refereed papers track, Report CW448, pages 5 – 17. Department Computer wetenschappen, Katholieke Universiteit Leuven, May.
[9]. Michael Barbaro and Tom Zeller Jr. (2006). A face is exposed for AOL searcher no. 4417749. The New York Times, August http://www.nytimes.com/2006/08/09/ technology/09aol.htm.
[10]. Greg Pass, Abdur Chowdhury, and Cayley Torgeson. (2006). A picture of search. In InfoScale '06: Proceedings of the 1st International Conference on Scalable Information Systems.
[11]. OWASP. https://www.owasp.org/index.php/CSRF, Cross-Site Request Forgery, Testing for CSRF (OWASP-SM- 005).
[12]. Hossain Shahriar and Mohammad Zulkernine, (2010). ”Client side detection of Cross-site request forgery attacks”,21st international symposium on software reliability Engineering , IEEE.
[13]. Boyan Chen, Pavol Zavarsky ,Ron Ruhl and Dale Lindskog, (2011). ”A study of the effectiveness of CSRF Guard”, IEEE.
If you have access to this article please login to view the article or kindly login to purchase the article

Purchase Instant Access

Single Article

North Americas,UK,
Middle East,Europe
India Rest of world
USD EUR INR USD-ROW
Pdf 35 35 200 20
Online 35 35 200 15
Pdf & Online 35 35 400 25

Options for accessing this content:
  • If you would like institutional access to this content, please recommend the title to your librarian.
    Library Recommendation Form
  • If you already have i-manager's user account: Login above and proceed to purchase the article.
  • New Users: Please register, then proceed to purchase the article.