Improved CSRFGuard for CSRF attacks defense on Java EE platform

Author

Jinxin You ; Fan Guo

Author_Institution

Sch. of Comput. & Inf. Eng., Jiangxi Normal Univ., Nanchang, China

fYear

2014

fDate

22-24 Aug. 2014

Firstpage

1115

Lastpage

1120

Abstract

CSRFGuard is a tool running on the Java EE platform to defend Cross-Site Request Forgery (CSRF) attacks, but there are some shortcomings: scripts should be inserted manually, dynamically created requests cannot be effectively handled as well as defense can be bypassed through Cross-Site Scripting (XSS). Corresponding improvements were made according to the shortcomings. The Servlet filter was used to intercept responses, and responses of pages´ source codes were stored by a custom response wrapper class to add script tags, so that scripts were automatically inserted. JavaScript event delegation mechanism was used to bind forms with onfocus and onsubmit events, then dynamically created requests were effectively handled. Token dynamically added through event triggered effectively prevented defense bypassed through XSS. The experimental results show that improved CSRFGuard can be effective to defend CSRF attacks.

Keywords

Java; security of data; CSRF attack defense; CSRFGuard; Java EE platform; JavaScript event delegation mechanism; Servlet filter; XSS; cross-site request forgery attack; cross-site scripting; custom response wrapper; script tags; Browsers; Computers; HTML; Security; Welding; CSRFGuard; Cross-Site Scripting; Cross-site Request Forgery; Event Delegation; Java EE;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Science & Education (ICCSE), 2014 9th International Conference on

Conference_Location

Vancouver, BC

Print_ISBN

978-1-4799-2949-8

Type

conf

DOI

10.1109/ICCSE.2014.6926635

Filename

6926635