Simon Willison's Weblog: xrequestedbyhttp://simonwillison.net/2008-09-24T09:40:07+00:00Simon WillisonRobust Defenses for Cross-Site Request Forgery [PDF]2008-09-24T09:40:07+00:002008-09-24T09:40:07+00:00https://simonwillison.net/2008/Sep/24/robust/#atom-tag
<p><strong><a href="http://www.adambarth.com/papers/2008/barth-jackson-mitchell-b.pdf">Robust Defenses for Cross-Site Request Forgery [PDF]</a></strong></p>
Fascinating report which introduces the “login CSRF” attack, where an attacker uses CSRF to log a user in to a site (e.g. PayPal) using the attacker’s credentials, then waits for them to submit sensitive information or bind the account to their credit card. The paper also includes an in-depth study of potential protection measures, including research that shows that 3-11% of HTTP requests to a popular ad network have had their referer header stripped. Around 0.05%-0.10% of requests have custom HTTP headers such as X-Requested-By stripped.
<p>Tags: <a href="https://simonwillison.net/tags/csrf">csrf</a>, <a href="https://simonwillison.net/tags/http">http</a>, <a href="https://simonwillison.net/tags/logincsrf">logincsrf</a>, <a href="https://simonwillison.net/tags/paypal">paypal</a>, <a href="https://simonwillison.net/tags/pdf">pdf</a>, <a href="https://simonwillison.net/tags/phishing">phishing</a>, <a href="https://simonwillison.net/tags/security">security</a>, <a href="https://simonwillison.net/tags/xrequestedby">xrequestedby</a></p>