A Study of the Effectiveness of CSRF Guard

Author

Chen, Boyan ; Zavarsky, Pavol ; Ruhl, Ron ; Lindskog, Dale

Author_Institution

Dept. of Inf. Syst. Security Manage., Concordia Univ. Coll. of Alberta, Edmonton, AB, Canada

fYear

2011

fDate

9-11 Oct. 2011

Firstpage

1269

Lastpage

1272

Abstract

OWASP (Open Web Application Security Project) CSRF Guard is a mitigation strategy designed to protect against Cross-Site Request Forgery (CSRF) attacks. CSRF, also known as one-click attack or session riding, is one of the most dangerous threats against web applications. The consequence of successful CSRF exploit could result in disclosure of private information, unauthorized modification of sensitive data and disruption of web service. This paper explores the following: (1) how CSRF Guard is able or unable to block CSRF attempts through the use of threat models, (2) possible limitations of the CSRF Guard, and (3) possible scenarios where the CSRF Guard is recommended as a mitigation strategy. This paper can assist web developers and researchers to improve current CSRF defense systems or develop new strategies in the futures.

Keywords

Web services; authorisation; CSRF defense systems; CSRF guard; OWASP; Web service disruption; cross-site request forgery attacks; mitigation strategy; one-click attack; open Web application security project; private information disclosure; sensitive data unauthorized modification; session riding; threat models; Authentication; Browsers; Forgery; Servers; Web pages; CSRF Guard; Cross-site Request forgery; threat model;

fLanguage

English

Publisher

ieee

Conference_Titel

Privacy, Security, Risk and Trust (PASSAT) and 2011 IEEE Third Inernational Conference on Social Computing (SocialCom), 2011 IEEE Third International Conference on

Conference_Location

Boston, MA

Print_ISBN

978-1-4577-1931-8

Type

conf

DOI

10.1109/PASSAT/SocialCom.2011.58

Filename

6113294