A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks

One top vulnerability in today's web applications is request forgery, in which an attacker triggers an unintentional request from a client browser to a target website and exploits the client's privileges on the website. To defend against a general class of cross-site and same-site request forgery attacks, the authors propose DeRef, a practical defense mechanism that allows a website to apply fine-grained access control on the scopes within which the client's authentication credentials can be embedded in requests. One key feature of DeRef is to enable privacy-preserving checking, such that the website does not know where the browser initiates requests, while the browser cannot infer the scopes being configured by the website.

Provided by: Chinese University of Hong Kong Topic: Security Date Added: Sep 2011 Format: PDF

Find By Topic