利用隔離使用者內容實現輕量級跨站偽造要求

Abstract

根據OWASP 2010 TOP 10的資料，跨站偽造要求攻擊已經在危險程度中爬升到第五名。由於社交網站的出現，使得一般使用者與網頁伺服器之間有了新的互動方式，瀏覽器本身也支援AJAX語法來增強互動性，但是也同時增進偽造要求攻擊的能力。倘若攻擊者使用AJAX來發動偽造要求攻擊，現有的防禦機制將可輕易的被攻破。 本論文提出了一個輕量級的防禦機制來解決新型態的偽造要求攻擊。我們將針對攻擊的行為特性來擬定解決方案，且為了減輕伺服器端的負擔，捨棄了過往字串過濾或者是重新編寫JavaScript的方法，而是利用隔離使用者所提供之字串來達成的防禦機制。把網頁中的內容分成可信任及不可信任，當這些內容對網站發出要求(HTTP request)時，皆標上相對應的標籤，讓伺服器端可以根據這些標籤來判斷要求是否具有危險性。最後根據隔離出來的可疑要求，觀察其是否已達成伺服器所提供具有隱私資訊的服務來決定要求是否為偽造要求攻擊。網站的管理者可自定詳細的規則以達成更有效且精準的防禦機制。在論文的最後，我們將實作出這個概念並且測量其效能來證明此方法之可行性。

Interactive website is the current trend of the Internet, but it has also created another opportunity for Cross-site request forgery (CSRF/CSRF). According to OWASP 2010 Top 10[1], CSRF/CSRF was listed as one of the most serious web vulnerability. Unfortunately, current protection approaches are not suitable when CSRF attack can use AJAX (Asynchronous JavaScript and XML) under the same website. This paper presents a light-weight CSRF protection approach by introducing quarantine and inspecting suspicious scripts to the server-side. Instead of filtering and rewriting, our solution is based on labeling mechanism which helps web server to distinguish malicious requests from harmless requests. Once the administrator of the website indicates the critical services, the services that contain sensitive data or privacy information about users, labeling mechanism can prevent CSRF attack effectively without changing user-created contents (UCC). At the end of this paper, we implemented the proposed scheme and evaluated the performance of the implementation.