Browse > Article
http://dx.doi.org/10.7840/kics.2014.39B.3.162

Enhanced CSRF Defense Using a Secret Value Between Server and User  

Park, Jin-Hyeon (경북대학교 전자공학부 컴퓨터통신망 연구실)
Jung, Im Y. (경북대학교 전자공학부 차세대 IT융합보안 연구실)
Kim, Sun-Ja (경북대학교 전자공학부 컴퓨터통신망 연구실)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.39B, no.3, 2014 , pp. 162-168 More about this Journal
Abstract
Cross-Site Request Forgery is one of the attack techniques occurring in today's Web Applications. It allows an unauthorized attacker to send authorized requests to Web Server through end-users' browsers. These requests are approved by the Web Server as normal requests therefore unexpected results arise. The problem is that the Web Server verifies an end-user using his Cookie information. In this paper, we propose an enhanced CSRF defense scheme which uses Page Identifier and user password's hash value in addition to the Cookie value which is used to verify the normal requests. Our solution is simple to implement and solves the problem of the token disclosure when only a random token is used for normal request verification.
Keywords
Cross-Site Request Forgery; Authentication; Web Security; Browser Security;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 A. Czeskis, A. Moshchuk, T. Kohno, and H. J. Wang, "Lightweight server support for browser-based CSRF protection," in Proc. Int. Conf. World Wide Web, pp. 273-284, Geneva, Switzerland, May 2013.
2 A. Barth, C. Jackson, and J. C. Mitchell, "Robust defenses for cross-site request forgery," in Proc. ACM Conf. Comput. Commun. Security, pp. 75-88, New York, USA, Oct. 2008.
3 S. Khandelwal, P. Shah, M. K. Bhavsar, and D. S. Gandhi, "Frontline techniques to prevent web application vulnerability," Int. J. Advanced Research in Comput. Sci. Electron. Eng., vol. 2, no. 2, p. 208, Feb. 2013.
4 J. H. Park, I. Y. Jung, and S. J. Kim, "CSRF defense using page identifier and sessionID," UCWIT(2013), Daegu, Korea, Dec. 2013.
5 E. Y. Chen, S.Gorbaty, A. Singhal, and C. Jackson, "Self-exfiltration: The dangers of browser-enforced information flow control," in Proc. Workshop of Web 2.0 Security and Pricacy 2012, vol. 2, San Francisco, USA, May 2012.
6 M. Heiderich, M. Niemietz, F. Schuster, T. Holz, and J. Schwenk, "Scriptless attacks - stealing the pie without touching the sill," in Proc. ACM Conf. Comput. Commun. Security, pp. 760-771, New York, USA, Oct. 2012.
7 J. Blatz, CSRF: Attack and Defense(2013), Retrieved Dec. 30, 2013, from http://www.fou ndstone.com.au/uk/resources/white-papers/wp-csrf-attack-defense.pdf.
8 Y. C. Sung, M. C. Y. Cho, C. W. Wang, C. W. Hsu, and S. W. Shieh, "Light-weight CSRF protection by labeling user-created contents," Int. Conf. Software Security and Reliability, pp. 60-69, Gaithersburg, USA, Jun. 2013.
9 Z. Mao, N. Li, and I. Molloy, "Defeating cross-site request forgery attacks with browser-enforced authenticity protection," in Financial Cryptography and Data Security, vol. 5628, pp. 238-255, Berlin Heidelberg, Germany, Feb. 2009.
10 OWASP, The Ten Most Critical Web Application Security Risks(2013), Retrieved Dec., 30, 2013, from https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
11 J. H. Bang and R. Ha, "Evaluation methodology of diagnostic tool for security weakness of eGOV software," J. KICS, vol. 38, no. 4, pp. 335-343, Apr. 2013.
12 J. H. Bang and R. Ha, "Validation test codes development of static analysis tool for secure software," J. KICS, vol. 38, no. 5, pp. 420-427, May 2013.   과학기술학회마을   DOI
13 S. H. Lee, Y. J. Maeng, D. H. Nyang, and K. H. Lee, "Possibility of disclosure of user information in internet explorer," J. KICS, vol. 38, no. 12, pp. 937-943, Dec. 2013.   과학기술학회마을   DOI   ScienceOn
14 P. De Ryck, L. Desment, T. Heyman, F. Piessens, and W. Joosen, "CsFire: Transparent client-side mitigation of malicious cross-domain requests," in Eng. Secure Software and Syst., vol. 5965, pp. 18-34, Berlin Heidelberg, Germany, Feb. 2010.
15 X. Lin, P. Zavarsky, R. Ruhl, and D. Lindskog, "Threat modeling for CSRF attacks," in Int. Conf. Computational Sci. and Eng., vol. 3, pp. 486-491, Aug. 2009.