By Topic

A Privacy-Preserving Defense Mechanism against Request Forgery Attacks

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Fung, B.S.Y. ; Dept. of Comput. Sci. & Eng., Chinese Univ. of Hong Kong, Hong Kong, China ; Lee, P.P.C.

One top vulnerability in today's web applications is request forgery, in which an attacker triggers an unintentional request from a client browser to a target website and exploits the client's privileges on the website. To defend against a general class of cross-site and same-site request forgery attacks, we propose DeRef, a practical defense mechanism that allows a website to apply fine-grained access control on the scopes within which the client's authentication credentials can be embedded in requests. One key feature of DeRef is to enable privacy-preserving checking, such that the website does not know where the browser initiates requests, while the browser cannot infer the scopes being configured by the website. DeRef achieves this by using two-phase checking, which leverages hashing and blind signature to make a trade-off between performance and privacy protection. We implement a proof-of-concept prototype of DeRef on FireFox and WordPress 2.0. We also evaluate our DeRef prototype and justify its performance overhead in various deployment scenarios.

Published in:

Trust, Security and Privacy in Computing and Communications (TrustCom), 2011 IEEE 10th International Conference on

Date of Conference:

16-18 Nov. 2011