Browser protection against cross-site request forgery

Wim Maes, Thomas Heyman, Lieven Desmet, Wouter Joosen
2009 Proceedings of the first ACM workshop on Secure execution of untrusted code - SecuCode '09  
As businesses are opening up to the web, securing their web applications becomes paramount. Nevertheless, the number of web application attacks is constantly increasing. Cross-Site Request Forgery (CSRF) is one of the more serious threats to web applications that gained a lot of attention lately. It allows an attacker to perform malicious authorized actions originating in the end-users browser, without his knowledge. This paper presents a client-side policy enforcement framework to
more » ... protect the end-user against CSRF. To do so, the framework monitors all outgoing web requests within the browser and enforces a configurable cross-domain policy. The default policy is carefully selected to transparently operate in a web 2.0 context. In addition, the paper also proposes an optional server-side policy to improve the accuracy of the client-side policy enforcement. A prototype is implemented as a Firefox extension, and is thoroughly evaluated in a web 2.0 context.
doi:10.1145/1655077.1655081 fatcat:vecta6cuhrh3np3vfgqmj6xxi4