Research Of CSRF Attack And Defense Technology

Cross-site request forgery(CSRF)in the security industry is known as the "sleeping giant".Because Web developers and users of the CSRF vu lnerabilities that have not yet produced a clear enough understanding,Th us resulting in a lower degree of attention,there is a big security risk in W eb.This paper firstly researched the related technologiesabout CSRF,extracted the attack model of stored CSRF and reflected CSRF based on the analysis of CSRF examples,then design and implement a new security protection system of CSRF,lastly verified the effectiveness of this system,proved that this system can provide defend against CSRF.The main work of this paper is as follows:(1)Researched the relatedtechnologies about CSRF.Analyzed theLoophole threat and the exploit way of same-origin policy,cross-domain resource sharing strategy and Cookie Web security policy,concluded the Attack principle of CSRF based on the analysis of actual case,Analyzed the detection principle of detection toos including CSRFTester and Security APPScan,Analyzed the server-side protected policy and points out thedefects,Analyzed the protection principles of protected tools.(2)Researched the different vector of CSRF attacks,extract the attack mode of different kinds of CSRF attacks.Through the analysis of different types of CSRF attacks in network applications share proportion and cause analysis,emphasized the importance of integrity of prevent loopholes in the system to and code audit.(3)Design and implement the protected system of CSRF,this system include client-site and server-side,client-site detection tool is a FireFox component based on the matching of HTTP request's attribute.this component ensure the safety of request to the server-side through check the requests.Server-side using the temporary cookie to achieve the peotection of web-site.(4)Verified the effectiveness of the protected system of CSRF,Constructed three project case,and protect them by CSRF-Client-Detect,comparedprotective effect of the Cookie protective strategies under different circumstances,evaluation results show that the protective system can carry on the protection to the CSRF attacks completely.