Simple cross-site attack prevention

Abstract

Many web applications are security critical, since they involve real-world monetary transactions, e.g. online auctions or online banking. Attackers have found new attacks to exploit vulnerabilities in these web applications. Among these attacks reflected cross-site scripting and request forgery attacks have received much attention in the recent scientific literature. There are client-side and server-side solutions which can complement each other in protecting against these cross-site attacks. Server-side solutions are currently limited to either cross-site request forgery attacks or cross-site scripting attacks which attack the integrity of the session (session theft). This paper presents a lightweight and efficient solution that prevents reflected cross-site scripting and request forgery attacks using a gateway at the server. It is so strikingly simple (yet solves this practically pressing problem), that it should be part of best practices for every web site operator. It ensures that input to a web site originated in the user’s browser and has not been forged by an attacker by following a link.We show the correctness of our approach using a software model checker. Our gateway protects a web site and all of its pages against cross-site attacks and is still able to function normally while not being attacked. We evaluate our approach by applying it to a number of important web sites and see the necessary architectural changes that would need to be made.