Strengthening XSRF Defenses for Legacy Web Applications Using Whitebox Analysis and Transformation

  • Michelle Zhou
  • Prithvi Bisht
  • V. N. Venkatakrishnan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6503)


Cross Site Request Forgery (XSRF) is regarded as one of the major threats on the Web. In this paper, we propose an approach that automatically retrofits the source code of legacy web applications with a widely-used defense approach for this attack. Our approach addresses a number of shortcomings in prior blackbox solutions for automatic XSRF protection. Our approach has been implemented in a tool called X-Protect that was used to retrofit several commercial Java-based web applications. Our experimental results demonstrate that the X-Protect approach is both effective and efficient in practice.


Cross Site Request Forgery Attack Prevention Whitebox Analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
    Open source web applications,
  4. 4.
    Soot: A Java Optimization Framework,
  5. 5.
    Apache. The JMeter Project,
  6. 6.
    Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: Preventing sql injection attacks using dynamic candidate evaluations. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007, pp. 12–24. ACM, New York (2007)Google Scholar
  7. 7.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88. ACM, New York (2008)CrossRefGoogle Scholar
  8. 8.
    Cova, M., Balzarotti, D., Felmetsger, V., Vigna, G.: Swaddler: An approach for the anomaly-based detection of state violations in web applications. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 63–86. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Crites, S., Hsu, F., Chen, H.: OMash: Enabling secure web mashups via object abstractions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 99–108. ACM, New York (2008)CrossRefGoogle Scholar
  10. 10.
    Halfond, W.G.J., Orso, A.: Amnesia: Analysis and monitoring for neutralizing sql-injection attacks. In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ASE 2005, pp. 175–183. ACM, New York (2005)Google Scholar
  11. 11.
    Johns, M., Winter, J.: Requestrodeo: Client side protection against session riding. In: Piessens, F. (ed.) Proceedings of the OWASP Europe 2006 Conference, Refereed Papers Track, Report CW448, pp. 5–17. Departement Computerwetenschappen, Katholieke Universiteit Leuven (May 2006)Google Scholar
  12. 12.
    Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proceedings of the Second IEEE Conference on Security and Privacy in Communications Networks (SecureComm), pp. 1–10 (2006)Google Scholar
  13. 13.
    Maes, W., Heyman, T., Desmet, L., Joosen, W.: Browser protection against cross-site request forgery. In: Proceedings of the First ACM Workshop on Secure Execution of Untrusted Code, SecuCode 2009, pp. 3–10. ACM, New York (2009)CrossRefGoogle Scholar
  14. 14.
    Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Oda, T., Wurster, G., van Oorschot, P.C., Somayaji, A.: Soma: Mutual approval for included content in web pages. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 89–98. ACM, New York (2008)CrossRefGoogle Scholar
  16. 16. Hacking CSRF Tokens using CSS History Hack (2009),
  17. 17.
    Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: USENIX Security Symposium (2006)Google Scholar
  18. 18.
    Zalewski, M.: Refcontrol : Add-ons for Firefox,
  19. 19.
    Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University (Fall 2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Michelle Zhou
    • 1
  • Prithvi Bisht
    • 1
  • V. N. Venkatakrishnan
    • 1
  1. 1.Department of Computer ScienceUniversity of IllinoisChicagoUSA

Personalised recommendations