Cross-site scripting request forgeries
Defenses for Web Users
The good news is that a number of defenses against CSRF attacks are available for web browsers. A common one is the NoScript plugin for Firefox. Unfortunately, for NoScript to be effective, you need to disable JavaScript by default and then selectively enable JavaScript for sites you trust. This leads to obvious usability issues because many sites do not work at all or very poorly if JavaScript is not enabled. Additionally, it will not prevent an attacker from leveraging a cross-site scripting flaw in a site you trust.
However, not all browsers support such selective control over which sites get to execute JavaScript. Another option is simply to install a separate web browser or run a separate instance of a web browser and use it for trusted online activities such as web-based banking and email.
One browser that has incorporated this strategy is Google Chrome. Each browser tab in Chrome is actually a separate process and not a thread running within the same context as other threads (tabs). Thus, the tabs cannot interfere with each other, rendering most CSRF attacks impotent.
Infos
- Cross-Site Request Forgery (CSRF): http://www.owasp.org/index.php/Cross-Site_Request_Forgery
- Zeller, W., and Felten, E.W. "Cross-Site Request Forgeries: Exploitation and Prevention," 2008, http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf
The Author
Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He often wonders how it is that technology works on a large scale but often fails on a small scale.
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia