CookieArmor : Safeguarding against cross‐site request forgery and session hijacking

Abstract

Internet browsers use cookies and session‐IDs for maintaining HTTP state information which has led to several security vulnerabilities such as cross‐site request forgery (CSRF) and session hijacking. Several works have been carried out in the past to address these threats and most of these works propose an additional layer between the client‐server communication architecture. While some solutions propose this layer at the client side, others propose it at the server side. This work proposes an efficient client‐side proxy named CookieArmor for addressing the threat of CSRF and cross‐site scripting (XSS). CookieArmor is a two‐token selective CSRF prevention mechanism with restricted relaxation for cross‐origin request. CookieArmor determines whether a script is capable of performing state changing operations and safeguards only such scripts using a two‐token CSRF prevention scheme. CookieArmor uses active Session‐ID filtering to safeguards against session hijacking. CookieArmor also uses quotient‐filter between the proxy and its internal database for improving the performance. Efficiency of CookieArmor demonstrates significant improvement than other solutions.