WEB APPLICATION SECURITY - CROSS-SITE REQUEST FORGERY ATTACKS
Journal Title: International Journal of Computer Science & Engineering Technology - Year 2013, Vol 4, Issue 8
Abstract
Cross-Site Request Forgery (CSRF) is an attack outlined in the OWASP Top 10 whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website. This way an attacker can access functionality in a target web application via the victim's already authenticated browser. Targets include web applications like social media, in browser email clients, online banking, and web interfaces for network devices. As browser holds valid session information of each request, a browser is the first place to look for attack symptoms and take actions. Current client side detection methods allow performing request to a trusted website by white listed third party websites. These approaches are not effective if policies are specified incorrectly, they do not focus on all the requests and cross check of response content type. To overcome these limitations, we acquaint a client side detection mechanism for the CSRF attack. Our approach relies on concept of a unique CSRF token which tends to change for each and every request. We can do that by using a unique number generator to generate the token. Then we try to match the token in the user's session data and invalidate it when we see it as a match or no token at all. This makes the token a used once. This protects us against repeated attacks. Moreover to overcome an attacker’s attempt to circumvent form visibility checking, we compare the response content type of a suspected request with the expected content type. The current approach detects CSRF attacks through HTML form submissions and other source of requests that might cause program state retrieval or modification which is compatible to latest versions of popular browsers such as IE, Firefox, and Chrome. As proposed approach checks all the requests which might change program state and compatible to popular browsers this approach can reduce the CSRF attacks by detecting the significant number of attack requests, hence our evaluation results indicate that our approach can detect most of the common form of CSRF attacks.
Authors and Affiliations
RadhaRani Sankuru , MadhuBabu Janjanam
Keywords
Related Articles
- EP ID EP109569
- DOI -
- Views 112
- Downloads 0
Applications of Finite Automata in Lexical Analysis and as a Ticket Vending Machine – A Review
In this paper, we explain the two applications of finite automata. First is about the first phase of a compiler design called as lexical analysis. The lexical analysis used to identify the token with its type. Second is...
A Study of Cognitive Radio based on WARP Platform
Cognitive Radios (CR) are wireless transceivers that have the intelligence to sense the medium and detect whether a channel is occupied or free. If occupied, the CR modifies its own parameters and moves to a free channel...
An Approach for Reducing Failures using Phased Data Migration Projects
Software organizations often need to migrating applications from one platform or technology to another for a variety of reasons. As part of an Information Lifecycle Management (ILM) best-practices strategy, the organizat...
PIXEL BASED CLASSIFICATION ON COLOR IMAGES IN STATISTICAL TEXTURE ANALYSIS
When using statistical approach in texture analysis for image classification, more problems are to be met. Particularly gray level co-occurrence matrices approach is applied in discriminating different textures in images...
ACCESSING DISTRIBUTED SERVICES WITH ONE TIME TOKEN GENERATION
Many services which we use today require us to login to ensure security and confidentiality. As the number of services increase, it has become quite difficult to remember the username and password for each of them. In th...