Abstract

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the honest web site as the attacker. The severity of a login CSRF vulnerability varies by site, but it can be as severe as a cross-site scripting vulnerability. We detail three major CSRF defense techniques and find shortcomings with each technique. Although the HTTP Referer header could provide an effective defense, our experimental observation of 283,945 advertisement impressions indicates that the header is widely blocked at the network layer due to privacy concerns. Our observations do suggest, however, that the header can be used today as a reliable CSRF defense over HTTPS, making it particularly well-suited for defending against login CSRF. For the long term, we propose that browsers implement the Origin header, which provides the security benefits of the Referer header while responding to privacy concerns.

Citations

160	M.: Why phishing works - Dhamija, Tygar, et al. - 2006
160	CAPTCHA: Using hard AI problems for security - Ahn, Blum, et al. - 2003
75	Web Spoofing: An Internet Con Game - Felten, Balfanz, et al. - 1997
66	T.: A face is exposed for AOL searcher no. 4417749 - Barbaro, Zeller - 2006
63	A picture of search - Pass, Chowdhury, et al. - 2006
50	Protecting browser state from web privacy attacks - Jackson, Bortz, et al. - 2006
33	Securing frame communication in browsers - Barth, Jackson, et al. - 2008
32	Protecting browsers from DNS rebinding attacks - Jackson, Barth, et al. - 2007
22	Preventing cross site request forgery attacks - Jovanovic, Kirda, et al. - 2006
22	Puppetnets: Misusing web browsers as a distributed attack infrastructure - Lam, Antonatos, et al. - 2006
16	ForceHTTPS: Protecting high-security web sites from network attacks - Jackson, Barth - 2008
16	Dynamic pharming attacks and locked same-origin policies for web browsers - Karlof, Shankar, et al. - 2007
12	RequestRodeo: Client side protection against session riding - Johns, Winter - 2006
6	WSKE: Web server key enabled cookies - Masone, Baek, et al.
4	et al. HTML 5 Working Draft. http: //www.whatwg.org/specs/web-apps/current-work - Hickson
3	Exploiting the XMLHttpRequest object in IE—Referrer spoofing and a - Klein - 2005
3	Persistent client state: HTTP cookies. http: //wp.netscape.com/newsref/std/cookie_spec.html - Netscape
2	The cross-site request forgery (CSRF/XSRF) FAQ, 2007. http: //www.cgisecurity.com/articles/csrf-faq.shtml - Auger
2	Anita Kesavan. Foundations of Security: What Every Programmer Needs to Know. Apress - Daswani, Kern - 2007
2	Defeating frame busting techniques - Jackson - 2005
2	Multiple browser cookie injection vulnerabilities - Johnston, Moore - 2004
1	Google’s Gmail security failure leaves my business sabotaged - Airey - 2007
1	An informal chat with Google - Airey - 2008
1	Security for GWT Applications. http: //groups.google.com/group/Google-Web-Toolkit/ web/security-for-gwt-applications - Google
1	Xploiting Google gadgets: Gmalware and beyond - Hansen, Stracener - 2008
1	Privacy tip #3: Block Referer headers in Firefox - Harold - 2006
1	et al. Cross-document messaging. http://www.w3.org/html/wg/html5/ #crossDocumentMessages - Hickson
1	Changes to inline gadgets - Holevoet - 2008
1	The Referer header, intranets and privacy - Johnson - 2007
1	Session handling functions. http: //www.phpbuilder.com/manual/en/ref.session.php - Manual
1	XDomainRequest object - Microsoft
1	Google Gmail e-mail hijack technique - Petkov - 2007
1	HTTP state management mechanism v2 - Pettersen - 2008
1	Microsoft Internet Explorer “XMLHTTP” HTTP request injection - Secunia - 2005
1	OWASP CSRFGuard Project - Sheridan - 2008
1	Kesteren et al. Access control for cross-site requests - van
1	http: //www.owasp.org/index.php/Session_Fixation - Fixation - 2008