1. Field
Embodiments of the invention relate to computer software application security in general, and more particularly to thwarting Cross-Site Request Forgery (CSRF) and Clickjacking attacks.
2. Description of the Related Art
Cross-Site Request Forgery (CSRF) refers to a type of Internet-based fraud in which a party's web browser is caused to perform an unwanted action at a target web site. In a typical example of a CSRF attack, a bank customer using a web browser accesses a web site that typically does not belong to the customer's bank and that contains malicious instructions placed there by an attacker. The malicious instructions cause the bank customer's browser to send a transaction request to the customer's bank without the bank customer's knowledge, such as a request to transfer funds from the bank customer's bank account to the attacker's bank account.
Current methods for preventing CSRF attacks against users of a target web site include having the target web site server embed a randomly-generated nonce within web pages that are served by the target web server. An authenticated user who accesses the target web site receives the nonce and must return the same nonce to the target web server when sending a transaction request to the target web server. Assuming that such nonces cannot easily be forged or intercepted by an unauthorized party, a transaction request that is sent by the authenticated user's browser to the target web server as the result of a CSRF attack will most likely not include the proper nonce. This will be detected by the target web server, which will then defeat the CSRF attack.
One method used by CSRF attackers to overcome nonce-based anti-CSRF protection is referred to as “Clickjacking” and involves modifying a web page to include an IFRAME that points to a target web page on which a CSRF attack is to be perpetrated. A user who accesses the target web site with a browser causes the target web page to be retrieved along with its anti-CSRF nonce. The web page containing the IFRAME is configured to visually obscure the retrieved target web page but for a clickable button or link. The unsuspecting user is lured on a false pretext into entering information into the web page and clicking the button or link, whereupon the user's browser sends a transaction request to the target web server without the user's knowledge, thus carrying out the CSRF attack.
Current solutions for preventing Clickjacking attacks against authenticated users of a target web site include having the target web site server embed software instructions, such as in the form of a JavaScript™ routine, within web pages that are served by the target web server, where the embedded instructions cause the user's browser to check whether the target web page has been retrieved in the context of an IFRAME. Unfortunately, as this requires that the user's browser be configured to run such embedded instructions, a browser that is not so configured would still be vulnerable to a Clickjacking attack.