CHAPTER 7 EVALUATION
7.4 D EFENSE EFFECTIVENESS
The goal of our defense is to be effective against a variety of CSRF attacks. This section will discuss all situations about the preventing CSRF attack.
CSRF attack in different websites: A traditional CSRF attack means that victims must visit the malicious website first, the malicious script can forge an HTTP request and the browser of victim is forced to send this HTTP request. In our labeling
mechanism, we can detect login CSRF by examining HTTP referrer header. In current browser, HTTP referrer header cannot be modified by JavaScript or HTML. Therefore,
0
we can use HTTP referrer header to detect all forged HTTP requests from different websites, for example, [44] makes use of the flaw of Ebay. In this case, labeling mechanism can easily block forged requests by checking HTTP referrer header.
There is a similar CSRF attack called “Login CSRF attack [32].” Its concept is to override the cookie of the victims. By observation, login page is the most dangerous page of a website because it often lacks protection. However, HTTP referrer header is a built-in header, so the login page is protected as well.
CSRF attack in the same website: This kind of attack often cooperates with XSS and attacker does not need to set up a website. Attacker uploads malicious scripts to honest website’s database at first. When victims surf the polluted web page, victim’s browser will execute malicious scripts automatically. Attacker takes advantages of AJAX which can create HTTP request and customize HTTP request headers for forging HTTP requests. To prevent multi-stage CSRF attack, labeling function ensures that UCC is isolated and every HTTP request is tagged with corresponded label. Once all forged requests are captured, CSRF attack can be blocked easily.
37
Chapter 8 Conclusion
In this paper, we pointed out the root problem of CSRF attack and introduced the severity of CSRF attack in current social network websites. After surveying current solutions, we found a novel approach that could defeat multi-stage CSRF attack effectively.
According to the root of the problem about CSRF attack, we proposed a light-weight labeling mechanism protection approach. This approach takes advantage of built-in methods and properties to reduce performance overhead instead of filtering or rewriting the suspicious strings. The administrator only needs establish policies for critical services and inserts suspicious contents into iframe tag. To fully utilize benefits of web 2.0, we maximize the usability of JavaScript and AJAX with little restriction. Users can still use the original JavaScript and AJAX syntaxes and semantics under labeling mechanism. For convenient (in convenience), we provide a safety website without altering the browser. The members do not need to install any plug-in or add-on for a specific website. In conclusion, the proposed scheme could prevent CSRF attack without blocking website’s interactive contents.
Chapter 9 Reference
[1] OWASP, “OWASP Top Ten Project,” 2010. Available:
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project [2] Petko D. Petkov, “Google GMail E-mail Hijack Technique,” 2007. Available:
http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
[3] S. Kamkar, “I’m popular,” 2005, description and technical explanation of the JS.Spacehero (a.k.a. “Samy”) MySpace worm. Available: http://namb.la/popular [4] World Wide Web Consortium, “Document object model (DOM) level 2 core
specification,” 2000. Available: http://www.w3.org/TR/DOM-Level-2-Core/
[5] N. Jovanovic, E. Kirda, and C. Kruegel, “Preventing cross site request forgery attacks,” Securecomm and Workshops, 2006, pp. 1–10.
[6] Mario Heiderich. CSRFx, 2007. Available: http://php-ids.org/category/csrfx/.
[7] Eric Sheridan. OWASP CSRFGuard Project, 2008. Available:
http://www.owasp.org/index.php/CSRF_Guard.
[8] S. Maffeis and A. Taly, “Language-based isolation of untrusted Javascript,” IEEE Computer Security Foundations Symposium, 2009, pp. 77–91.
[9] Facebook, “Facebook JavaScript.” Available:
http://wiki.developers.facebook.com/index.php/FBJS
[10] D. Crockford, “ADsafe: Making JavaScript safe for advertising,” 2008. Available:
http://www.adsafe.org/
[11] F. Kerschbaum, “Simple cross-site attack prevention,” International ICST Conference on Security and Privacy in Communication Networks, 2007, pp.
464-472.
[12] S.P. Shieh and V.D. Gligor, “On a pattern-oriented model for intrusion
detection,” IEEE Transactions on Knowledge and Data Engineering, vol. 9, 1997, pp. 661–667.
[13] S.P. Shieh, “A pattern-oriented intrusion-detection model and its applications,”
Research in Security and Privacy, 1991, pp. 327 -342.
[14] P.H. Phung, D. Sands, and A. Chudnov, “Lightweight self-protecting JavaScript,”
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, 2009, pp. 47–60.
[15] V.N. Mike Ter Louw, “Blueprint: Robust prevention of cross-site scripting attacks for existing browsers,” IEEE Symposium on Security and Privacy, 2009, pp. 331–346.
[16] World Wide Web Consortium, “XMLHttpRequest,” 2009. Available:
39
http://www.w3.org/TR/XMLHttpRequest/
[17] OWASP, “HttpOnly - OWASP,” 2002. Available:
http://www.owasp.org.tw/index.php/HttpOnly
[18] Ecma International, “Fifth Edition of ECMA-262, ECMAScript,” 2009. Available:
http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-262.pdf [19] John Resig, “ECMAScript 5 Strict Mode, JSON, and More,” 2009. Available:
http://ejohn.org/blog/ecmascript-5-strict-mode-json-and-more/
[20] Facebook, “Facebook.” Available: http://www.facebook.com/
[21] MySpace, “MySpace.” Available: http://www.myspace.com/
[22] D. Ferraiolo, DR. Kuhn, and R. Chandramouli, “Role-Based Access Controls,”
In Proceedings of the 15th Annual Conference on National Computer Security, 1992, pp. 554-563.
[23] Oracle Corporation, “MySQL Cluster.” Available:
http://www.mysql.com/products/database/cluster/
[24] The apache software foundation, “Apache Hadoop.” Available:
http://hadoop.apache.org/
[25] Resnumerica, “Web 1.0 Vs Web 2.0,” 2006. Available:
http://resnumerica.free.fr/nouveau-blog/?category/web1.0/
[26] P. Bisht and V. Venkatakrishnan, “XSS-GUARD: precise dynamic prevention of cross-site scripting attacks,” Detection of Intrusions and Malware, and
Vulnerability Assessment, 2008, pp. 23–43.
[27] X. Lin, P. Zavarsky, R. Ruhl, and D. Lindskog, “Threat Modeling for CSRF Attacks,” Proceedings of the 2009 International Conference on Computational Science and Engineering-Volume 03, 2009, pp. 486–491.
[28] A.A. Al-Tameem, “The Impact of AJAX Vulnerability in Web 2.0 Applications,”
Journal of Information Assurance and Security, 2008, pp. 240–244.
[29] D. Ahmad, “the Confused deputy and the domain hijacker,” IEEE Security and Privacy, 2008.
[30] H. Volos and H. Teonadi, “Study of security vulnerabilities in Web 2.0,” 2007.
[31] S Ravi, JC Edward, LF Hal, and EY Charles, “Role-based access control models,”
IEEE Computer, 1996.
[32] A. Barth, C. Jackson, and J.C. Mitchell, “Robust defenses for cross-site request forgery,” Proceedings of the 15th ACM conference on Computer and
communications security, 2008, pp. 75–88.
[33] M. Johns and J. Winter, “RequestRodeo: Client side protection against session riding,” Proceedings of the OWASP Europe 2006 Conference, refereed papers track, Report CW448, pp. 5–17.
[34] A. Yip, N. Narula, M. Krohn, and R. Morris, “Privacy-preserving browser-side scripting with bflow,” Proceedings of the 4th ACM European conference on Computer systems, 2009, pp. 233–246.
[35] J. Conallen, “Modeling Web application architectures with UML,”
Communications of the ACM, vol. 42, 1999, p. 70.
[36] S. Maffeis, J. Mitchell, and A. Taly, “Isolating JavaScript with filters, rewriting, and wrappers,” Computer Security–ESORICS 2009, pp. 505–522.
[37] C. Karlof, U. Shankar, J.D. Tygar, and D. Wagner, “Dynamic pharming attacks and locked same-origin policies for web browsers,” Proceedings of the 14th ACM conference on Computer and communications security, 2007, p. 71.
[38] Z. Mao, N. Li, and I. Molloy, “Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection,” Financial Cryptography and Data Security, 2009, pp. 238–255.
[39] W. Zeller and E.W. Felten, Cross-site request forgeries: Exploitation and prevention, Citeseer, 2008.
[40] C. Jackson and A. Barth, “Beware of finer-grained origins,” Web 2.0 Security and Privacy, 2008.
[41] A. Barth, C. Jackson, and W. Li, “Attacks on JavaScript Mashup Communication,”
Proceedings of the Web.
[42] B. Hoffman, “Ajax security,” 2006. Available: http://www.spidynamics.
com/assets/documents/AJAXdangers.pdf
[43] J. Magazinius, A. Askarov, and A. Sabelfeld, “A Lattice-based Approach to Mashup Security,” ASIAN ACM Symposium on Information, Computer and Communications Security, 2010.
[44] Brian Prince, “eBay Security Vulnerabilities Found by Researcher.” Available at:
http://www.eweek.com/c/a/Security/Researcher-Uncovers-eBay-Security-Vulner abilities-684970/