IJIEEB Vol. 6, No. 5, 8 Oct. 2014
Cover page and Table of Contents: PDF (size: 302KB)
Full Text (PDF, 302KB), PP.10-15
Views: 0 Downloads: 0
OWASP, CSRF, HTTP, CSRF Detection Extension, reflected CSRF, Chrome extension
The number of Internet users is dramatically increased every year. Most of these users are exposed to the dangers of attackers in one way or another. The reason for this lies in the presence of many weaknesses that are not known for ordinary users. In addition, the lack of user awareness is considered as the main reason for falling into the attackers' snares. Cross Site Request Forgery (CSRF) has placed in the list of the most dangerous threats to security in OWASP Top Ten for 2013. CSRF is an attack that forces the user's browser to send or perform unwanted request or action without user awareness by exploiting a valid session between the browser and the server. When CSRF attack success, it leads to many bad consequences. An attacker may reach private and personal information and modify it. This paper aims to detect and prevent a specific type of CSRF, called reflected CSRF. In a reflected CSRF, a malicious code could be injected by the attackers. This paper explores how CSRF Detection Extension prevents the reflected CSRF by checking browser specific information. Our evaluation shows that the proposed solution is successful in preventing this type of attack.
Omar A. Batarfi, Aisha M. Alshiky, Alaa A. Almarzuki, Nora A. Farraj, "CSRFDtool: Automated Detection and Prevention of a Reflected Cross-Site Request Forgery", International Journal of Information Engineering and Electronic Business(IJIEEB), vol.6, no.5, pp.10-15, 2014. DOI:10.5815/ijieeb.2014.05.02
[1]Mateo Martinez, CISSP, "OWASP Latem Tour Venezuela 2013", 2013 the McAfee.
[2]S. Shah, "HTML5 Top 10 Threats Stealth Attacks and Silent Exploits," BlackHat Europe, 2012.
[3]C. Raghavendran, G. N. Satish, and P. S. Varma, "Security Challenges and Attacks in Mobile Ad Hoc Networks," 2013.
[4]P. I. Singh, "Robust Security System for Critical Computers," International Journal of Information Technology and Computer Science (IJITCS), vol. 4, p. 24, 2012.
[5]Siddiqui, M.S.; Verma, D., "Cross site request forgery: A common web application weakness," Communication Software and Networks (ICCSN), 2011 IEEE 3rd International Conference on , vol., no., pp.538,543, 27-29 May 2011.
[6]B. Hill, "Adaptive user interface randomization as an anti-clickjacking strategy," ed: May, 2012.
[7]A. Elias-Bachrach, "CSRF: Not All Defenses Are Created Equal," in AppSec USA 2013, 2013.
[8]Shahriar, H., & Zulkernine, M. (2010, November). Client-side detection of cross-site request forgery attacks. In Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on (pp. 358-367). IEEE.
[9]B. Meshram, "Client Side CSRF Defensive Tool," International Journal of Information and Network Security (IJINS), vol. 1, pp. 171-180, 2012.
[10]R. D. Kombade and B. Meshram, "CSRF Vulnerabilities and Defensive Techniques," International Journal of Computer Network and Information Security (IJCNIS), vol. 4, p. 31, 2012.
[11]F. van der Loo, "Comparison of penetration testing tools for web applications," Master thesis, Radboud University Nijmegen, 2011. http://www. ru. nl/publish/pages/578936/frank_van_der_loo_scriptie. pdf, 2011.
[12]Jovanovic, N.; Kirda, E.; Kruegel, C., "Preventing Cross Site Request Forgery Attacks," Securecomm and Workshops, 2006 , vol., no., pp.1,10, Aug. 28 2006-Sept. 1 2006.
[13]Takesue, M., "An HTTP Extension for Secure Transfer of Confidential Data," Networking, Architecture, and Storage, 2009. NAS 2009. IEEE International Conference on , vol., no., pp.101,108, 9-11 July 2009.
[14]Shahriar, H., & Zulkernine, M. (2010, November). Client-side detection of cross-site request forgery attacks. In Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on (pp. 358-367). IEEE.
[15]Boyan Chen; Zavarsky, P.; Ruhl, R.; Lindskog, D., "A Study of the Effectiveness of CSRF Guard," Privacy, security, risk and trust (passat), 2011 ieee third international conference on and 2011 ieee third international conference on social computing (socialcom) , vol., no., pp.1269,1272, 9-11 Oct. 2011.