The Experts below are selected from a list of 111 Experts worldwide ranked by ideXlab platform
Ian Molloy - One of the best experts on this subject based on the ideXlab platform.
-
Defeating cross-site request forgery attacks with browser-enforced authenticity protection
2014Co-Authors: Ziqing Mao, Ian MolloyAbstract:Abstract. A cross site request forgery (CSRF) attack occurs when a user’s web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF vulnerabilities are very common, and consequences of such attacks are most serious with financial web-sites. We recognize that CSRF attacks are an example of the confused deputy problem, in which the browser is viewed by websites as the deputy of the user, but may be tricked into sending requests that violate the user’s intention. We propose Browser-Enforced Authenticity Protection (BEAP), a browser-based mechanism to defend against CSRF attacks. BEAP infers whether a request reflects the user’s intention and whether an Authentication Token is sensitive, and stripes sensitive Authentication Tokens from any request that may not reflect the user’s intention. The inference is based on the information about the request (e.g., how the request is triggered and crafted) and heuristics derived from analyzing real-world web applications. We have implemented BEAP as a Firefox browser extension, and show that BEAP can effectively defend against the CSRF attacks and does not break the existing web applications
-
defeating cross site request forgery attacks with browser enforced authenticity protection
Financial Cryptography, 2009Co-Authors: Ninghui Li, Ian MolloyAbstract:A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF vulnerabilities are very common, and consequences of such attacks are most serious with financial websites. We recognize that CSRF attacks are an example of the confused deputy problem, in which the browser is viewed by websites as the deputy of the user, but may be tricked into sending requests that violate the user's intention. We propose Browser-Enforced Authenticity Protection (BEAP), a browser-based mechanism to defend against CSRF attacks. BEAP infers whether a request reflects the user's intention and whether an Authentication Token is sensitive, and strips sensitive Authentication Tokens from any request that may not reflect the user's intention. The inference is based on the information about the request (e.g., how the request is triggered and crafted) and heuristics derived from analyzing real-world web applications. We have implemented BEAP as a Firefox browser extension, and show that BEAP can effectively defend against the CSRF attacks and does not break the existing web applications.
-
defeating cross site request forgery attacks with browser enforced authenticity protection
Annual Information Security Symposium, 2009Co-Authors: Ninghui Li, Ian MolloyAbstract:A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF vulnerabilities are very common, and consequences of such attacks are serious. We recognize that CSRF attacks are an example of the confused deputy problem, in which the browser is viewed by websites as the deputy of the user, but may be tricked into sending requests that violate the user's intention. We propose Browser-Enforced Authenticity Protection (BEAP), a browser-based mechanism to defend against CSRF attacks. BEAP infers whether a request reflects the user's intention and whether an Authentication Token is sensitive, and stripes sensitive Authentication Tokens from any request that may not reflect the user's intention. The inference is based on the information about the request (e.g., how the request is triggered and crafted) and heuristics derived from analyzing real-world web applications. We have implemented BEAP as a Firefox browser extension, and show that BEAP can effectively defend against the CSRF attacks and does not break the existing web applications.
Ninghui Li - One of the best experts on this subject based on the ideXlab platform.
-
defeating cross site request forgery attacks with browser enforced authenticity protection
Financial Cryptography, 2009Co-Authors: Ninghui Li, Ian MolloyAbstract:A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF vulnerabilities are very common, and consequences of such attacks are most serious with financial websites. We recognize that CSRF attacks are an example of the confused deputy problem, in which the browser is viewed by websites as the deputy of the user, but may be tricked into sending requests that violate the user's intention. We propose Browser-Enforced Authenticity Protection (BEAP), a browser-based mechanism to defend against CSRF attacks. BEAP infers whether a request reflects the user's intention and whether an Authentication Token is sensitive, and strips sensitive Authentication Tokens from any request that may not reflect the user's intention. The inference is based on the information about the request (e.g., how the request is triggered and crafted) and heuristics derived from analyzing real-world web applications. We have implemented BEAP as a Firefox browser extension, and show that BEAP can effectively defend against the CSRF attacks and does not break the existing web applications.
-
defeating cross site request forgery attacks with browser enforced authenticity protection
Annual Information Security Symposium, 2009Co-Authors: Ninghui Li, Ian MolloyAbstract:A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF vulnerabilities are very common, and consequences of such attacks are serious. We recognize that CSRF attacks are an example of the confused deputy problem, in which the browser is viewed by websites as the deputy of the user, but may be tricked into sending requests that violate the user's intention. We propose Browser-Enforced Authenticity Protection (BEAP), a browser-based mechanism to defend against CSRF attacks. BEAP infers whether a request reflects the user's intention and whether an Authentication Token is sensitive, and stripes sensitive Authentication Tokens from any request that may not reflect the user's intention. The inference is based on the information about the request (e.g., how the request is triggered and crafted) and heuristics derived from analyzing real-world web applications. We have implemented BEAP as a Firefox browser extension, and show that BEAP can effectively defend against the CSRF attacks and does not break the existing web applications.
Do Van Thuan - One of the best experts on this subject based on the ideXlab platform.
-
Strong Authentication with mobile phone as security Token
2009 IEEE 6th International Conference on Mobile Adhoc and Sensor Systems MASS '09, 2009Co-Authors: Do Van Thanh, Ivar J??rstad, Tore J??nvik, Do Van ThuanAbstract:The protection of digital identities is getting more and more crucial. The usage of passwords for Authentication is no longer sufficient and stronger Authentication schemes are necessary. Strong Authentication solutions using two identification factors require often an additional device, which could be inconvenient for the user and costly for the service providers. To avoid the usage of additional device, the mobile phone is adopted as security Token. This paper provides a study of the various ways the mobile phone can be used as an Authentication Token towards service providers on the Internet. It starts with discussing the need for a strong Authentication scheme, and the motivation for using the mobile phone to improve on several aspects of the current Authentication processes. Thereafter, the general architecture for Authentication with mobile phones is presented. Several different Authentication solutions using the mobile phone as Authentication Token are then described, where the solutions vary in complexity, strength and user-friendliness. The paper ends with an evaluation of the different solutions, and a discussion of the most probable attacks. A classification of the solutions is also provided, according to defined criteria.
Do Van Thanh - One of the best experts on this subject based on the ideXlab platform.
-
Strong Authentication with mobile phone as security Token
2009 IEEE 6th International Conference on Mobile Adhoc and Sensor Systems MASS '09, 2009Co-Authors: Do Van Thanh, Ivar J??rstad, Tore J??nvik, Do Van ThuanAbstract:The protection of digital identities is getting more and more crucial. The usage of passwords for Authentication is no longer sufficient and stronger Authentication schemes are necessary. Strong Authentication solutions using two identification factors require often an additional device, which could be inconvenient for the user and costly for the service providers. To avoid the usage of additional device, the mobile phone is adopted as security Token. This paper provides a study of the various ways the mobile phone can be used as an Authentication Token towards service providers on the Internet. It starts with discussing the need for a strong Authentication scheme, and the motivation for using the mobile phone to improve on several aspects of the current Authentication processes. Thereafter, the general architecture for Authentication with mobile phones is presented. Several different Authentication solutions using the mobile phone as Authentication Token are then described, where the solutions vary in complexity, strength and user-friendliness. The paper ends with an evaluation of the different solutions, and a discussion of the most probable attacks. A classification of the solutions is also provided, according to defined criteria.
Tore J??nvik - One of the best experts on this subject based on the ideXlab platform.
-
Strong Authentication with mobile phone as security Token
2009 IEEE 6th International Conference on Mobile Adhoc and Sensor Systems MASS '09, 2009Co-Authors: Do Van Thanh, Ivar J??rstad, Tore J??nvik, Do Van ThuanAbstract:The protection of digital identities is getting more and more crucial. The usage of passwords for Authentication is no longer sufficient and stronger Authentication schemes are necessary. Strong Authentication solutions using two identification factors require often an additional device, which could be inconvenient for the user and costly for the service providers. To avoid the usage of additional device, the mobile phone is adopted as security Token. This paper provides a study of the various ways the mobile phone can be used as an Authentication Token towards service providers on the Internet. It starts with discussing the need for a strong Authentication scheme, and the motivation for using the mobile phone to improve on several aspects of the current Authentication processes. Thereafter, the general architecture for Authentication with mobile phones is presented. Several different Authentication solutions using the mobile phone as Authentication Token are then described, where the solutions vary in complexity, strength and user-friendliness. The paper ends with an evaluation of the different solutions, and a discussion of the most probable attacks. A classification of the solutions is also provided, according to defined criteria.
