A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks

One top vulnerability in today's web applications is request forgery, in which an attacker triggers an unintentional request from a client browser to a target website and exploits the client's privileges on the website. To defend against a general class of cross-site and same-site request forgery attacks, we propose DeRef, a practical defense mechanism that allows a website to apply line-grained access control on the scopes within which the client's authentication credentials can be embedded in requests. One key feature of DeRef is to enable privacy-preserving checking, such that the website does not know where the browser initiates requests, while the browser cannot infer the scopes being configured by the website. DeRef achieves this by using twophase checking, which leverages hashing and blind signature to make a trade-off between performance and privacy protection. We implement a proof-of-concept prototype of DeRef on FireFox and WordPress 2.0. We also evaluate our DeRef prototype and justify its performance overhead in various deployment scenarios.