Light-weight CSRF protection by labeling user-created contents

Yin Chang Sung, Michael Cheng Yi Cho, Chi Wei Wang, Chia Wei Hsu, Shiuh-Pyng Shieh

Research output: Contribution to conferencePaper

Abstract

Cross-site request forgery (CSRF/XSRF) is a serious vulnerability in Web 2.0 environment. With CSRF, an adversary can spoof the payload of an HTTP request and entice the victim's browser to transmit an HTTP request to the web server. Consequently, the server cannot determine legitimacy of the HTTP request. This paper presents a light-weight CSRF prevention method by introducing a quarantine system to inspect suspicious scripts on the server-side. Instead of using script filtering and rewriting approach, this scheme is based on a new labeling mechanism (we called it Content Box) which enables the web server to distinguish the malicious requests from the harmless requests without the need to modify the user created contents (UCCs). Consequently, a malicious request can be blocked when it attempts to access critical web services that was defined by the web administrator. To demonstrate the effectiveness of the proposed scheme, the proposed scheme was implemented and the performance was evaluated.

Original languageEnglish
Pages60-69
Number of pages10
DOIs
StatePublished - 9 Sep 2013
Event7th International Conference on Software Security and Reliability, SERE 2013 - Gaithersburg, MD, United States
Duration: 18 Jun 201320 Jun 2013

Conference

Conference7th International Conference on Software Security and Reliability, SERE 2013
CountryUnited States
CityGaithersburg, MD
Period18/06/1320/06/13

Keywords

  • Web 2.0
  • cross-site request forgery
  • light-weight
  • user-created contents

Fingerprint Dive into the research topics of 'Light-weight CSRF protection by labeling user-created contents'. Together they form a unique fingerprint.

Cite this