Detection of cross-site request forgery attacks

US 8,893,270 B1
Filed: 01/29/2008
Issued: 11/18/2014
Est. Priority Date: 01/29/2008
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of detecting a cross-site request forgery (CSRF) attack, the method comprising:

receiving an HTTP (Hypertext Transfer Protocol) response from a website, the HTTP response being responsive to a request for a web page previously submitted from a user computer to the website;

analyzing the HTTP response for presence of CSRF code by determining whether a type of content expected to be received by a web browser running in the user computer is consistent with content that will be provided to the web browser, the CSRF code comprising computer-readable program code which automatically accesses an online account of a user of the user computer upon receipt and execution of the CSRF code in the user computer without authorization from the user;

performing a security action when the CSRF code is found in the HTTP response;

receiving an HTTP request from the web browser;

analyzing the HTTP request for information indicative of a CSRF attack; and

performing the security action when the HTTP request includes information indicative of the CSRF attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for detecting cross-site request forgery (CSRF) attacks include a CSRF detector that analyzes HTTP communications for information indicative of a CSRF attack. The CSRF detector may analyze HTTP responses from a website for CSRF code that automatically performs unauthorized access of an online account of a user of a user computer upon receipt and execution of the CSRF code in the user computer. The CSRF detector may also analyze HTTP requests from a web browser for information indicative of a CSRF attack.

8 Citations

View as Search Results

15 Claims

1. A computer-implemented method of detecting a cross-site request forgery (CSRF) attack, the method comprising:
- receiving an HTTP (Hypertext Transfer Protocol) response from a website, the HTTP response being responsive to a request for a web page previously submitted from a user computer to the website;
  
  analyzing the HTTP response for presence of CSRF code by determining whether a type of content expected to be received by a web browser running in the user computer is consistent with content that will be provided to the web browser, the CSRF code comprising computer-readable program code which automatically accesses an online account of a user of the user computer upon receipt and execution of the CSRF code in the user computer without authorization from the user;
  
  performing a security action when the CSRF code is found in the HTTP response;
  
  receiving an HTTP request from the web browser;
  
  analyzing the HTTP request for information indicative of a CSRF attack; and
  
  performing the security action when the HTTP request includes information indicative of the CSRF attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - forwarding the HTTP response to the web browser running in the user computer when the CSRF code is not found in the HTTP response.
  - 3. The method of claim 1 further comprising:
    - forwarding the HTTP request to a destination computer when the HTTP request does not include information indicative of the CSRF attack.
  - 4. The method of claim 1 wherein the security action comprises blocking communication to and from the website.
  - 5. The method of claim 1 wherein the CSRF code comprises an HTML image tag that retrieves content that is not an image file.
  - 6. The method of claim 1 wherein the CSRF code comprises a script.
  - 7. The method of claim 1 wherein analysis of the HTTP response for presence of the CSRF code is performed in the user computer.
  - 8. The method of claim 1 wherein analysis of the HTTP response for presence of the CSRF code is performed in another computer separate from the user computer.

9. A computer having memory and a processor for executing computer-readable program code in the memory, the memory comprising:
- a cross-site request forgery (CSRF) detector comprising computer-readable program code, wherein the CSRF detector detects a CSRF attack that automatically performs an unauthorized access of an online account of a user of a user computer when CSRF code is received and loaded in the user computer, the CSRF detector being configured to;
  
  detect presence of the CSRF code in an HTTP (Hypertext Transfer Protocol) response sent by a website to the user computer by determining whether a type of content expected to be received by a web browser running in the user computer is consistent with content that will be provided to the web browser,receive an HTTP request from the web browser,analyze the HTTP request for information indicative of the CSRF attack, andperform a security action when the CSRF code is found in the HTTP response,and perform the security action when the HTTP request includes information indicative of the CSRF attack.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The computer of claim 9 wherein the computer comprises a gateway computer.
  - 11. The computer of claim 9 wherein the CSRF detector is configured to forward the HTTP response to the web browser running in the user computer when the CSRF code is not found in the HTTP response.
  - 12. The computer of claim 9 wherein the CSRF detector is configured to forward the HTTP request to a destination computer when the HTTP request does not include information indicative of the CSRF attack.
  - 13. The computer of claim 9 wherein the security action comprises blocking communication to and from the website.
  - 14. The computer of claim 9 wherein the CSRF code comprises an HTML image tag that retrieves content that is not an image file.
  - 15. The computer of claim 9 wherein the computer is a user computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Yang, Shun-Fa, Liang, Wen-Tien, Kuo, Hsin-Hsin
Primary Examiner(s)
Shaw, Brian

Application Number

US12/011,877
Time in Patent Office

2,485 Days
Field of Search

726/22, 726/25
US Class Current

726/22
CPC Class Codes

G06F 21/563   by source code analysis

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/168   above the transport layer

Detection of cross-site request forgery attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

15 Claims

Specification

Use Cases

Quick Links

Others

Detection of cross-site request forgery attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

15 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others