As businesses are opening up to the web, securing their web applications becomes paramount. Nevertheless, the number of web application attacks is constantly increasing. Cross-Site Request Forgery (CSRF) is one of the more serious threats to web applications that gained a lot of attention lately. It allows an attacker to perform malicious authorized actions originating in the end-users browser, without his knowledge. This paper presents a client-side policy enforcement framework to transparently protect the end-user against CSRF. To do so, the framework monitors all outgoing web requests within the browser and enforces a configurable cross-domain policy. The default policy is carefully selected to transparently operate in a web 2.0 context. In addition, the paper also proposes an optional server-side policy to improve the accuracy of the client-side policy enforcement. A prototype is implemented as a Firefox extension, and is thoroughly evaluated in a web 2.0 context.

Abstract Protecting users in the ubiquitous online world is becoming more and more important, as shown by web application security – or the lack thereof – making the mainstream news. One of the more harmful attacks is cross-site request forgery (CSRF), which allows an attacker to make requests to certain web applications while impersonating the user without their awareness. Existing client-side protection mechanisms do not fully mitigate the problem or have a degrading effect on the browsing experience of the user, especially with web 2.0 techniques such as AJAX, mashups and single sign-on. To fill this gap, this paper makes three contributions: first, a thorough traffic analysis on real-world traffic quantifies the amount of cross-domain traffic and identifies its specific properties. Second, a client-side enforcement policy has been constructed and a Firefox extension, named CsFire (CeaseFire), has been implemented to autonomously mitigate CSRF attacks as precise as possible. Evaluation was done using specific CSRF scenarios, as well as in real-life by a group of test users. Third, the granularity of the client-side policy is improved even further by incorporating server-specific policy refinements about intended cross-domain traffic. 1

National Science Foundation While there is no guarantee of HTTP page integrity, this issue is left unaddressed in discussions of web security. Though HTTPS can be used to solve the HTTP page integrity problem, HTTPS is shunned by web communities due to the performance overheads caused by TLS. Worse yet, HTTPS inherently breaks the distributed nature of the web by disallowing caching. The end-toend security guarantee of HTTPS only allows web contents served by origin web servers, not caching proxies or Content Delivery Networks (CDN). Unsurprisingly, HTTPS is overkill for many applications and is avoided by many websites. Thus, webpages are completely open to attacks against HTTP page integrity. Based on these observations, we have designed a lite protocol for secure web, HTTP Integrity (HTTPI). HTTPI relies on HTTPS to share session keys and use them for keyedhashing HTTP pages. We show that HTTPI can be reliably used for many applications, since many web attacks target integrity rather than confidentiality. In order to avoid breaking the caching mechanism of the web, we decouple HTTP headers and contents for keyed-hashing. Web servers can cache or precompute contents hashing for static contents and many studies show that dynamic contents can be cached as well. Therefore, the performance degradation caused by HTTPI can go unnoticed by users. 1