跳到主要內容

臺灣博碩士論文加值系統

(18.97.14.85) 您好!臺灣時間:2025/01/21 17:28
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:吳玉冰
研究生(外文):Iok-Peng Ng
論文名稱:利用擴充功能之整合登錄狀態檢查之客戶端跨站請求偽造攻擊防護
論文名稱(外文):利用擴充功能之整合登錄狀態檢查之客戶端跨站請求偽造攻擊防護
指導教授:王智弘王智弘引用關係
指導教授(外文):Chih-Hung Wang
學位類別:碩士
校院名稱:國立嘉義大學
系所名稱:資訊工程學系研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
畢業學年度:104
語文別:英文
中文關鍵詞:跨站請求偽造客戶端防護Chrome 擴展程式網路安全
外文關鍵詞:Cross Site Request ForgeryClient-side protectionChrome extensionNetwork security
相關次數:
  • 被引用被引用:0
  • 點閱點閱:118
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
網路平台的崛起帶來無限商機,許多電子商務的服務(如:銀行及網路商城等等)在網路上進行金融交易,同時增加了網路入侵的威脅。因此,如何保護網路應用程式上的金融交易中的敏感資料成為一個重要的議題。跨站請求偽造(Cross Site Request Forgery,簡稱CSRF) 使得攻擊者可在不需徵得使用者的許可下進行一些破壞性的行為。一般來說,攻擊者會預先準備一個惡意網頁給已經登錄到目標漏洞網站的使用者,並吸引使用者連接這個惡意網站,同時發出一個非本人意願的偽造請求至目標漏洞網站。同時,在大多數情況下使用者不會發現自己成為CSRF的受害者。
目前瀏覽器端的防護CSRF攻擊的方法大多是基於白名單,亦即允許或拒絕跨網域請求的做法。然而,當使用者沒有預先把合法的連結加入到白名單,該連結便無法正常連線。
本論文採用的方法是利用Chrome擴展程式來針對客戶端的Chrome瀏覽器進行CSRF防護。我們的方法開發了一個名為BR-CSRF的Chrome擴展程式,它檢查使用者在目標網站的登錄狀態,並封鎖疑似CSRF的跨網域請求。
The web service of e-business becomes more and more useful and popular nowadays. E-business service such as banks, e-shops, etc. taking financial transactions on website causes the increase of threats by the network intruders. Therefore, how to protect the sensitive data of financial transactions for web applications has become a critical issue. Cross Site Request Forgery (CSRF) allows an attacker exploits damaging activities without user’s approval. In general, the attacker prepares a malicious web page to attract connections from the user who has been authorized by the vulnerable web application so that the user unwittingly sends out the forged requests. In most cases, the user may not know he/she has become a victim of CSRF.
Most of the current browser-based approaches to resist CSRF attack focus on applying a white list to allow/deny the requests of cross-domain. However, it is inconvenient if some valid connections fail due to their domains not being added to the white list by the user. This thesis presents a client-side protection approach of CSRF using Chrome extension. Our approach developed an extension called BR-CSRF that relies on blocking the cross-domain request suspicious of CSRF and can check the login states for the target websites.
中文摘要 i
Abstract ii
致謝 iv
CONTENTS v
LIST OF FIGURES viii
LIST OF TABLES ix
Chapter 1. Introduction 1
1.1 Overview 1
1.2 Motivations 1
1.3 Contributions 2
1.4 Organization 3
Chapter 2. Related Works 5
2.1 CSRF Attacks 5
2.1.1 Reflected CSRF 5
2.1.2 Stored CSRF 6
2.1.3 Login CSRF 7
2.2 Existing Countermeasures 9
2.2.1 Server-side Countermeasures 9
2.2.2 Client-side Countermeasures 12
Chapter 3. Cross-site Request Detection and Login State Check Module Using Chrome Extension 16
3.1 Environment 16
3.2 Proposed Scheme 17
3.2.1 BR-CSRF Framework 17
3.2.2 Domain Checker 19
3.2.3 Login State Checker 19
3.2.4 Attack Detection Policy 22
3.2.5 Attack Handling Module 23
3.3 Algorithm 23
3.3.1 Domain_checker 25
3.3.2 Login_state_checker 25
3.3.3 Attack_handle_module 26
Chapter 4. Experiment And Analysis 27
4.1 Environment 27
4.2 Experiment Of Wordpress 29
4.3 Experiment Of Zeuscart 32
4.4 Analysis And Comparison 35
4.4.1 Analysis 36
4.4.2 Comparison 37
Chapter 5. Conclusions and Future Work 39
Reference 40
[1] A. AlAmeen, “Building a Robust Client-Side Protection Against Cross Site Request Forgery,” International Journal of Advanced Computer Science and Applications, pp. 64-70, 2015.

[2] A. Barth, C. Jackson and J. C. Mitchell, “Robust defenses for cross-site request forgery,” 15th ACM conference on Computer and communications security, pp. 75-88, 2008.

[3] P. Bhaumik and S. Thota, “Preventing Login Cross-Site Request Forgery Attacks using preSessions,” Department of Computer Science, University of California Davis, pp. 1-9, 2010.

[4] A. Czeskis, A. Moshchuk, T.Kohno and H. J. Wang, “Lightweight server support for browser-based csrf protection,” 22nd international conference on World Wide Web, pp. 273-284, 2013.

[5] W. Maes, T. Heyman, L. Desmet and W. Joosen, “Browser protection against cross-site request forgery,”ACM workshop on Secure execution of untrusted code, pp. 3-10, 2009.

[6] D. P. Ryck, L. Desmet, W. Joosen and F. Piessens, “Automatic and precise client-side protection against CSRF attacks,” Computer Security–ESORICS, Springer Berlin Heidelberg, pp. 100-116, 2011.

[7] T. Schreiber, “Session riding: A widespread vulnerability in today’s web applications,” Whitepaper, SecureNet GmbH, pp. 1-16, 2004.

[8] Y. C. Sung, M. C. Y. Cho , C. W. Wang, C. W. Hsu and S. W. Shieh, “Light-weight CSRF protection by labeling user-created contents,” IEEE 7th International Conference on Software Security and Reliability, pp. 60-69, 2013.

[9] J. Williams and D. Wichers, “OWASP top 10–2010,” OWASP Foundation, 2010.

[10] D. Wichers, “OWASP Top-10 2013,” OWASP Foundation, 2013.

[11] W. Zeller and E. W. Felten, “Cross-site request forgeries: Exploitation and prevention,” Technical report, pp. 1-13, 2008.

[12] Alexa, “Browse top sites,” Available: http://www.alexa.com/topsites 2016

[13] Chrome, “What are extensions?” Available: https://developer.chrome.com/extensions

[14] DVWA, “Damn Vulnerable Web Application(DVWA) ,” Available: http://www.dvwa.co.uk/

[15] Exploit Database, “Exploit Database,” Available: https://www.exploit-db.com/

[16] B. Prabakaran, G. Athisenbagam and K. T. Ganesh, “Identifying Robust Defenses for Login CSRF,” Technical report, Available: https://www.cs.uic.edu/~bprabaka/LoginCSRF.pdf

[17] XAMPP, “XAMPP,” Available: https://www.apachefriends.org/zh_tw/index.html
連結至畢業學校之論文網頁點我開啟連結
註: 此連結為研究生畢業學校所提供,不一定有電子全文可供下載,若連結有誤,請點選上方之〝勘誤回報〞功能,我們會盡快修正,謝謝!
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top