The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Enhanced CSRF Defense Using a Secret Value Between Server and User

서버와 사용자간 비밀 값을 이용한 보안성이 강화된 CSRF 방어

  • 박진현 (경북대학교 전자공학부 컴퓨터통신망 연구실) ;
  • 정임영 (경북대학교 전자공학부 차세대 IT융합보안 연구실) ;
  • 김순자 (경북대학교 전자공학부 컴퓨터통신망 연구실)
  • Received : 2013.12.23
  • Accepted : 2014.02.26
  • Published : 2014.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

Cross-Site Request Forgery is one of the attack techniques occurring in today's Web Applications. It allows an unauthorized attacker to send authorized requests to Web Server through end-users' browsers. These requests are approved by the Web Server as normal requests therefore unexpected results arise. The problem is that the Web Server verifies an end-user using his Cookie information. In this paper, we propose an enhanced CSRF defense scheme which uses Page Identifier and user password's hash value in addition to the Cookie value which is used to verify the normal requests. Our solution is simple to implement and solves the problem of the token disclosure when only a random token is used for normal request verification.

Cross-Site Request Forgery(CSRF)는 오늘날 인터넷 환경에서 발생하는 악의적인 공격방식 중 하나이다. 이는 권한이 없는 공격자가 사용자의 브라우저를 통해 웹 서버에 정당한 요청을 전송 하도록 한다. 공격자에 의한 요청은 웹 서버에서 정상적인 요청으로 판단되어 사용자가 원하지 않는 결과를 가져온다. 이러한 문제는 웹 서버에서 쿠키에 포함된 정보만으로 사용자를 식별하기 때문에 발생한다. 본 논문에서는 쿠키에 포함된 정보 이외에 페이지 식별번호와 사용자 비밀번호의 해시 값을 추가하여 요청을 검증하는 보안성이 강화된 CSRF 방어를 제안한다. 이는 구현이 간단하며 기존 CSRF 대응법으로 알려진 일회성 토큰을 이용한 방식의 문제점인 토큰 노출의 문제점을 해결한다.

Keywords

References

  1. OWASP, The Ten Most Critical Web Application Security Risks(2013), Retrieved Dec., 30, 2013, from https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
  2. J. H. Bang and R. Ha, "Evaluation methodology of diagnostic tool for security weakness of eGOV software," J. KICS, vol. 38, no. 4, pp. 335-343, Apr. 2013.
  3. J. H. Bang and R. Ha, "Validation test codes development of static analysis tool for secure software," J. KICS, vol. 38, no. 5, pp. 420-427, May 2013. https://doi.org/10.7840/kics.2013.38C.5.420
  4. S. H. Lee, Y. J. Maeng, D. H. Nyang, and K. H. Lee, "Possibility of disclosure of user information in internet explorer," J. KICS, vol. 38, no. 12, pp. 937-943, Dec. 2013. https://doi.org/10.7840/kics.2013.38B.12.937
  5. P. De Ryck, L. Desment, T. Heyman, F. Piessens, and W. Joosen, "CsFire: Transparent client-side mitigation of malicious cross-domain requests," in Eng. Secure Software and Syst., vol. 5965, pp. 18-34, Berlin Heidelberg, Germany, Feb. 2010.
  6. X. Lin, P. Zavarsky, R. Ruhl, and D. Lindskog, "Threat modeling for CSRF attacks," in Int. Conf. Computational Sci. and Eng., vol. 3, pp. 486-491, Aug. 2009.
  7. Z. Mao, N. Li, and I. Molloy, "Defeating cross-site request forgery attacks with browser-enforced authenticity protection," in Financial Cryptography and Data Security, vol. 5628, pp. 238-255, Berlin Heidelberg, Germany, Feb. 2009.
  8. A. Barth, C. Jackson, and J. C. Mitchell, "Robust defenses for cross-site request forgery," in Proc. ACM Conf. Comput. Commun. Security, pp. 75-88, New York, USA, Oct. 2008.
  9. S. Khandelwal, P. Shah, M. K. Bhavsar, and D. S. Gandhi, "Frontline techniques to prevent web application vulnerability," Int. J. Advanced Research in Comput. Sci. Electron. Eng., vol. 2, no. 2, p. 208, Feb. 2013.
  10. J. H. Park, I. Y. Jung, and S. J. Kim, "CSRF defense using page identifier and sessionID," UCWIT(2013), Daegu, Korea, Dec. 2013.
  11. A. Czeskis, A. Moshchuk, T. Kohno, and H. J. Wang, "Lightweight server support for browser-based CSRF protection," in Proc. Int. Conf. World Wide Web, pp. 273-284, Geneva, Switzerland, May 2013.
  12. E. Y. Chen, S.Gorbaty, A. Singhal, and C. Jackson, "Self-exfiltration: The dangers of browser-enforced information flow control," in Proc. Workshop of Web 2.0 Security and Pricacy 2012, vol. 2, San Francisco, USA, May 2012.
  13. M. Heiderich, M. Niemietz, F. Schuster, T. Holz, and J. Schwenk, "Scriptless attacks - stealing the pie without touching the sill," in Proc. ACM Conf. Comput. Commun. Security, pp. 760-771, New York, USA, Oct. 2012.
  14. J. Blatz, CSRF: Attack and Defense(2013), Retrieved Dec. 30, 2013, from http://www.fou ndstone.com.au/uk/resources/white-papers/wp-csrf-attack-defense.pdf.
  15. Y. C. Sung, M. C. Y. Cho, C. W. Wang, C. W. Hsu, and S. W. Shieh, "Light-weight CSRF protection by labeling user-created contents," Int. Conf. Software Security and Reliability, pp. 60-69, Gaithersburg, USA, Jun. 2013.