Implementation of Web Browser Extension for Mitigating CSRF Attack

摘要

CSRF is one of the most serious cyber-attacks and has been recognized among the major threats and among the top ten worst vulnerabilities of web applications. CSRF attack occurs when the attacker takes the advantages of implicit authentication mechanisms of HTTP protocol and cached credentials in the browser to execute a sensitive action on a target website behalf of an authenticated user without his knowledge. In this paper, we present a CSRF protection mechanism that can be added to Google Chrome browser as an extension. Our tool "CSRF Detector" is purely implemented on the client-side to defeat the attacker attempt to perform CSRF attacks by analyzing web requests and web pages content to detect all the basic and advanced CSRF attacks. Our evaluation result shows that CSRF Detector extension successfully detects all the generated attacks and it has the ability to protect users and web applications against CSRF attacks with no false positive.