External Link
https://dl.acm.org/doi/10.1145/2076732.2076768
BibTeX
@inproceedings{10.1145/2076732.2076768, author = {Pelizzi, Riccardo and Sekar, R.}, title = {A server- and browser-transparent CSRF defense for web 2.0 applications}, year = {2011}, isbn = {9781450306720}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/2076732.2076768}, doi = {10.1145/2076732.2076768}, abstract = {Cross-Site Request Forgery (CSRF) vulnerabilities constitute one of the most serious web application vulnerabilities, ranking fourth in the CWE/SANS Top 25 Most Dangerous Software Errors. By exploiting this vulnerability, an attacker can submit requests to a web application using a victim user’s credentials. A successful attack can lead to compromised accounts, stolen bank funds or information leaks. This paper presents a new server-side defense against CSRF attacks. Our solution, called jCSRF, operates as a serverside proxy, and does not require any server or browser modifications. Thus, it can be deployed by a site administrator without requiring access to web application source code, or the need to understand it. Moreover, protection is achieved without requiring web-site users to make use of a specific browser or a browser plug-in. Unlike previous server-side solutions, jCSRF addresses two key aspects of Web 2.0: extensive use of client-side scripts that can create requests to URLs that do not appear in the HTML page returned to the client; and services provided by two or more collaborating web sites that need to make cross-domain requests.}, booktitle = {Proceedings of the 27th Annual Computer Security Applications Conference}, pages = {257–266}, numpages = {10}, location = {Orlando, Florida, USA}, series = {ACSAC ‘11} }