A client-based and server-enhanced defense mechanism for cross-site request forgery

3Citations
Citations of this article
10Readers
Mendeley users who have this article in their library.
Get full text

Abstract

A common-sense CSRF attack involves more than one domain. In this paper, we'll cover both cross-domain and same-domain CSRF which overlaps with Cross-Site Scripting (XSS). If a XSS instructs victims to send requests to the same domain, it is also a CSRF - same-domain CSRF. Such sort of XSS-CSRF exists extensively and even high profile sites cannot always avoid such vulnerabilities. There exist mainly 3 defenses: Referer Header checking, secret validation token and CAPTCHA. The Referer Header is sometimes missing [1], the secret token becomes totally futile when XSS exists and the CAPTCHA is too bothering. Besides, [2-3] brings about some client-taking actions yet pure client checking is not credible enough from server side perspective. And they still suffer from the Referer-missing problem. Moreover, all of [1-3] have nothing to do with same-domain CSRF. So a client-initialized and server-accomplished defense mechanism (CSDM) is proposed. © 2010 Springer-Verlag.

Cite

CITATION STYLE

APA

Xing, L., Zhang, Y., & Chen, S. (2010). A client-based and server-enhanced defense mechanism for cross-site request forgery. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 6307 LNCS, pp. 484–485). Springer Verlag. https://doi.org/10.1007/978-3-642-15512-3_25

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free