A server- and browser-transparent CSRF defense for web 2.0 applications

Abstract: Cross-Site Request Forgery (CSRF) vulnerabilities constitute one of the most serious web application vulnerabilities, ranking fourth in the CWE/SANS Top 25 Most Dangerous Software Errors. By exploiting this vulnerability, an attacker can submit requests to a web application using a victim user's credentials. A successful attack can lead to compromised accounts, stolen bank funds or information leaks. This paper presents a new server-side defense against CSRF attacks. Our solution, called jCSRF, operates as a s… Show more

“…The application is unaware that the tokens are being inserted and validated by the proxy. Proxy-based CSRF protection and WAVES do not interfere with one another as long as the proxy properly addresses AJAX requests, such as [14]. The fact that WAVES outfitted the original application to include additional JavaScript on the client and AJAX stubs on the server is irrelevant to the proxy; the developer could have added that code herself.…”

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

“…The application is unaware that the tokens are being inserted and validated by the proxy. Proxy-based CSRF protection and WAVES do not interfere with one another as long as the proxy properly addresses AJAX requests, such as [14]. The fact that WAVES outfitted the original application to include additional JavaScript on the client and AJAX stubs on the server is irrelevant to the proxy; the developer could have added that code herself.…”

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

Attacks on the Browser’s Requests

Design of Information System Vulnerability Governance Platform Based on Distributed Asset Acquisition and Vulnerability Verification Radar