Lightweight server support for browser-based CSRF protection

Alexei Czeskis, Alexander Moshchuk, Tadayoshi Kohno, Helen J. Wang
2013 Proceedings of the 22nd international conference on World Wide Web - WWW '13  
Cross-Site Request Forgery (CSRF) attacks are one of the top threats on the web today. These attacks exploit ambient authority in browsers (e.g., cookies, HTTP authentication state), turning them into confused deputies and causing undesired side effects on vulnerable web sites. Existing defenses against CSRFs fall short in their coverage and/or ease of deployment. In this paper, we present a browser/server solution, Allowed Referrer Lists (ARLs), that addresses the root cause of CSRFs and
more » ... s ambient authority for participating web sites that want to be resilient to CSRF attacks. Our solution is easy for web sites to adopt and does not affect any functionality on non-participating sites. We have implemented our design in Firefox and have evaluated it with real-world sites. We found that ARLs successfully block CSRF attacks, are simpler to implement than existing defenses, and do not significantly impact browser performance.
doi:10.1145/2488388.2488413 dblp:conf/www/CzeskisMKW13 fatcat:c4l4shopnbamzfbj65ea6jof24