CSRF Vulnerabilities and Defensive Techniques

Full Text (PDF, 131KB), PP.31-37

Views: 0 Downloads: 0

Author(s)

Rupali D. Kombade 1,* B.B. Meshram 1

1. Veermata Jijabai Technological Institute, Matunga, Mumbai

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2012.01.04

Received: 20 Apr. 2011 / Revised: 11 Aug. 2011 / Accepted: 2 Oct. 2011 / Published: 8 Feb. 2012

Index Terms

Web Application, Vulnerability, Attacks, Defensive measures, Cross-Site Request forgery

Abstract

Web applications are now part of day to day life due to their user friendly environment as well as advancement of technology to provide internet facilities, but these web applications brought lot of threats with them and these threats are continuously growing, one of the these threat is Cross Site Request Forgery(CSRF). CSRF attack is immerged as serious threat to web applications which based on the vulnerabilities present in the normal request response pattern of HTTP protocol. It is difficult to detect and hence it is present in most of the existing web applications. CSRF attack occurs when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site. It is listed in OWASP’s top ten Web Application attacks list. In this survey paper we will study CSRF attack, CSRF vulnerabilities and its defensive measures. We have compared various defense mechanisms to analyse the best defense mechanism. This study will help us to build strong and robust CSRF protection mechanism.

Cite This Paper

Rupali D. Kombade, B.B. Meshram, "CSRF Vulnerabilities and Defensive Techniques", International Journal of Computer Network and Information Security(IJCNIS), vol.4, no.1, pp.31-37, 2012. DOI:10.5815/ijcnis.2012.01.04

Reference

[1]Imperva’s Web application Attack Report July 2011 Edition #1, www.imperva.com
[2]OWASP. https://www.owasp.org/index.php/CSRF, Cross-Site Request Forgery, Testing for CSRF (OWASP-SM-005)
[3]Grossman, “Cross Site Request Forgery ‘The Sleeping Giant of Website Vulnerabilities’”, in RSA Conference, San Francisco, April 2008.
[4]Xiaoli Lin, Pavol Zavarsky, Ron Ruhl, Dale Lindskog, “Threat Modeling for CSRF Attacks”, International Conference on Computational Science and Engineering, 2009
[5]Tatiana Alexenko, Mark Jenne, Suman Deb Roy, Wenjun Zeng , “Cross-Site Request Forgery: Attack and Defense”, IEEE CCNC 2010
[6]Mohd. Shadab Siddiqui, Deepanker Verma, “Cross Site Request Forgery: A common web application weakness”, 2011 IEEE
[7]Hossain Shahriar and Mohammad Zulkernine “Client-Side Detection of Cross-Site Request Forgery Attacks”, 21st International Symposium on Software Reliability Engineering, 2010 IEEE
[8]Boyan Chen, Pavol Zavarsky, Ron Ruhl and Dale Lindskog, “A Study of the Effectiveness of CSRF Guard”, 2011 IEEE
[9]“Seven Deadliest Web Application Attacks”, Mike Sharma.
[10]Adam Barth, Collin Jackson, John C. Mitchell ”Robust Defenses for Cross-Site Request Forgery”, CCS’08, October 27–31, 2008, Alexandria, Virginia, USA.
[11]http://anticsrf.codeplex.com/ AntiCSRF - A Cross Site Request Forgery (CSRF) module for ASP.NET
[12]http://netappsec.blogspot.in/2011/05/anti-csrf-viewstate.html “Anti-CSRF & ViewState”
[13]“The Web Application Hackers Handbook”, discovering and exploiting security flaw”, Dafydd Stuttard, Marcus Pinto
[14]Peter W “Cross Site Request Forgeries” – http://www.tux.org/~peterw/csrf.txt