Browser Protection against Cross-Site Request Forgery

摘要

As businesses are opening up to the web, securing their web applications becomes paramount. Nevertheless, the number of web application attacks is constantly increasing. Cross-Site Request Forgery (CSRF) is one of the more serious threats to web applications that gained a lot of attention lately. It allows an attacker to perform malicious authorized actions originating in the end-users browser, without his knowledge. This paper presents a client-side policy enforcement framework to transparently protect the end-user against CSRF. To do so, the framework monitors all outgoing web requests within the browser and enforces a configurable cross-domain policy. The default policy is carefully selected to transparently operate in a web 2.0 context. In addition, the paper also proposes an optional server-side policy to improve the accuracy of the client-side policy enforcement. A prototype is implemented as a Firefox extension, and is thoroughly evaluated in a web 2.0 context.