Abstract

In recent years, the web has been an indispensable part of business all over the world and web browsers have become the backbones of today's systems and applications. Unfortunately, the number of web application attacks has increased a great deal, so the matter of concern is securing web applications. One of the most serious cyber-attacks has been by cross site request forgery (CSRF). CSRF has been recognized among the major threats to web applications and among the top ten worst vulnerabilities for web applications. In a CSRF attack, an attacker takes liberty be authorized to take a sensitive action on a target website on behalf of a user without his knowledge. This paper, providing an overview about CSRF attack, describes the various possible attacks, the developed solutions, and the risks in the current preventive techniques. This paper comes up with a highly perfect protection mechanism against reflected CSRF called RCSR. RCSR is a tool gives computer users with full control on the attack. RCSR tool relies on specifying HTTP request source, whether it comes from different tab or from the same one of a valid user, it observes and intercepts every request that is passed through the user’s browser and extracts session information, post the extracted information to the Server, then the server create a token for user's session. We checked the working of RCSR extension, our evaluation results show that it is working well and it successfully protects web applications against reflected CSRF.

Highlights

  • In recent years, the web has been an indispensable part of business all over the world and web browsers have become the backbones of today's systems and applications

  • CsFire [8] is integrated extension into Mozilla browser to mitigate cross site request forgery (CSRF) attacks, it extends the work of Maes et al [8], CsFire is the only system that provides formal validation through bounded model checking to defend against CSRF in the formal model of the web developed by Akhawe et al [8]

  • One of the most serious cyber-attacks has been by cross site request forgery (CSRF)

Read more

Summary

INTRODUCTION

The web has been an indispensable part of business all over the world and web browsers have become the backbones of today's systems and applications. CSRF attacker takes advantages of implicit authentication mechanisms of HTTP protocol and cached credentials in the browser to inject web applications with malicious script [17]. CSRF attack tricks user's browser into performing requests into a target web site that is vulnerable to CSRF [4]. The attacker may send an image tag a third-party website, that contains a request to perform a sensitive action (withdraw money) on a trusted-website of an authenticated user (mybank.com), probably without their knowledge. Later, when the user is visiting the Web pages of the target website, the browser will automatically attach the identity login cookie in the HTTP request [10]. The attacker is able to abuse this duration to make some user’s browser perform authenticated requests probably without their knowledge, and that is what is called cross site request forgery CSRF.

CROSS SITE REQUEST FORGERY
EXISTING COUNTERMEASURES
CSRF TOKENS CONCEPT
LITERATURE REVIEW
Secret validation token
Requestrodeo
CSFIRE
THE PROPOSED SCHEME
IMPLEMENTATION
VIII. EVALUATION
CONCLUSION
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call