13 items | 1 visits
Documents pertaining to browser security and prevention.
Updated on Apr 02, 10
Created on Apr 02, 10
Category: Computers & Internet
URL:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.
Welcome to another edition of Security Corner. This month's topic is cross-site request forgeries, an attack vector that enables an attacker to send arbitrary HTTP requests from a victim user. That's worth reading a couple of times, and it will likely not be until you've seen your first example attack that you can fully understand or appreciate the danger.
ABSTRACT
Cross-Site Request Forgery (CSRF) is a widely exploited
web site vulnerability. In this paper, we present a new variation
on CSRF attacks, login CSRF, in which the attacker
forges a cross-site request to the login form, logging the victim
into the honest web site as the attacker. The severity
of a login CSRF vulnerability varies by site, but it can be
as severe as a cross-site scripting vulnerability. We detail
three major CSRF defense techniques and find shortcomings
with each technique. Although the HTTP Referer header
could provide an effective defense, our experimental observation
of 283,945 advertisement impressions indicates that
the header is widely blocked at the network layer due to privacy
concerns. Our observations do suggest, however, that
the header can be used today as a reliable CSRF defense
over HTTPS, making it particularly well-suited for defending
against login CSRF. For the long term, we propose that
browsers implement the Origin header, which provides the
security benefits of the Referer header while responding to
privacy concerns.
A mostly unknown Web vulnerability called Cross-Site Request Forgery could be the next attack vector on your Website
Web security is at the top of customers’ minds after many well-publicized personal data breaches, but the people who actually build Web applications aren’t paying much attention to security, experts say.
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF ("sea-surf"[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
Introduction
For the past 5 years, CVE has been tracking the types of errors that lead to publicly reported vulnerabilities, and periodically reporting trends on a limited scale. The primary goal of this study is to better understand research trends using publicly reported vulnerabilities. It should be noted that the data is obtained from an uncontrolled population, i.e., decentralized public reports from a research community with diverse goals and interests, with an equally diverse set of vendors and developers. More specialized, exhaustive, and repeatable methods could be devised to evaluate software security. But until such methods reach maturity and widespread acceptance, the overall state of software security can be viewed through the lens of public reports.
13 items | 1 visits
Documents pertaining to browser security and prevention.
Updated on Apr 02, 10
Created on Apr 02, 10
Category: Computers & Internet
URL: