Cross-site request forgery defense

US 9,660,809 B2
Filed: 08/07/2015
Issued: 05/23/2017
Est. Priority Date: 08/07/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for defending against a cross-site request forgery (CSRF) attack, the method comprising:

serving a content item to a client computing device, wherein the content item includes an embedded executable script;

receiving a first asynchronous request for a first CSRF token from the client computing device, wherein the first asynchronous request is generated as a result of running the embedded executable script at the client computing device;

generating the first CSRF token in response to the first asynchronous request, wherein the first CSRF token is generated using a hash message authentication code (HMAC) key, and wherein the first CSRF token is subject to an expiration event;

sending the first CSRF token to the client computing device;

receiving a second asynchronous request for an updated CSRF token from the client computing device, wherein the second asynchronous request is received after network connectivity with the client computing device is temporarily lost after sending the first CSRF token to the client computing device;

generating the updated CSRF token in response to the second asynchronous request, wherein the updated CSRF token is also generated using the HMAC key;

receiving, from the client computing device, a request to access a resource provided by a server computing device, wherein the request includes a received CSRF token; and

determining whether the received CSRF token can be authenticated using the HMAC key.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An HTML document includes a JavaScript element that manages CSRF token use. When the HTML document is rendered, the JavaScript element asynchronously requests a CSRF token from the server. In response, the server generates a JWT using a keyed HMAC algorithm. The resulting JWT, which functions as a CSRF token, is returned to the user where it is stored in a protected variable inside the JavaScript element. The CSRF token is therefore stateless and isn'"'"'t stored in a server-side repository. When the user later requests access to a server resource, the CSRF token is included in such request. This may be accomplished by adding a hidden input field that includes the CSRF token to the submission that'"'"'s transmitted to the server. If the server cannot validate the received token using the HMAC key that was originally used to generate the token, the request is considered unauthorized and is not processed.

Citations

19 Claims

1. A computer-implemented method for defending against a cross-site request forgery (CSRF) attack, the method comprising:
- serving a content item to a client computing device, wherein the content item includes an embedded executable script;
  
  receiving a first asynchronous request for a first CSRF token from the client computing device, wherein the first asynchronous request is generated as a result of running the embedded executable script at the client computing device;
  
  generating the first CSRF token in response to the first asynchronous request, wherein the first CSRF token is generated using a hash message authentication code (HMAC) key, and wherein the first CSRF token is subject to an expiration event;
  
  sending the first CSRF token to the client computing device;
  
  receiving a second asynchronous request for an updated CSRF token from the client computing device, wherein the second asynchronous request is received after network connectivity with the client computing device is temporarily lost after sending the first CSRF token to the client computing device;
  
  generating the updated CSRF token in response to the second asynchronous request, wherein the updated CSRF token is also generated using the HMAC key;
  
  receiving, from the client computing device, a request to access a resource provided by a server computing device, wherein the request includes a received CSRF token; and
  
  determining whether the received CSRF token can be authenticated using the HMAC key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein:
    - the method further comprises sending the updated CSRF token to the client computing device;
      
      the first CSRF token and the updated CSRF token are generated by the server computing device; and
      
      neither the first CSRF token nor the updated CSRF token are retained at the server computing device after being sent to the client computing device.
  - 3. The method of claim 1, wherein the content item is an HTML document that is served to the client computing device from a web server.
  - 4. The method of claim 1, wherein the embedded executable script is a JavaScript element.
  - 5. The method of claim 1, further comprising granting access to the resource in response to determining that the received CSRF token can be authenticated using the HMAC key.
  - 6. The method of claim 1, wherein:
    - the first CSRF token and the updated CSRF token are generated by a first server computing device; and
      
      determining whether the received CSRF token can be authenticated is performed by a second computing device.

7. A cross-site request forgery (CSRF) defense system that comprises a server cluster having a plurality of server computing devices, each of the server computing devices includinga processor, wherein the plurality of processors are configured to collectively execute instructions that cause the server cluster to invoke a CSRF defense process;
- anda memory storing a hash message authentication code (HMAC) key, wherein the HMAC key stored in each of the memories is functionally equivalent;
  
  wherein the CSRF defense process comprises;
  
  serving a content item to a client computing device, wherein the content item includes an executable script;
  
  receiving a first request for a first CSRF token from the client computing device, wherein the first request is generated in response to running the executable script at the client computing device;
  
  generating the first CSRF token in response to the first request, wherein the first CSRF token is generated using the HMAC key, and wherein the first CSRF token is subject to an expiration event;
  
  sending the first CSRF token to the client computing device;
  
  receiving a second request for an updated CSRF token from the client computing device, wherein the second request is received after network connectivity with the client computing device is temporarily lost after sending the first CSRF token to the client computing device;
  
  generating the updated CSRF token in response to the second request, wherein the updated CSRF token is also generated using the HMAC key;
  
  receiving, from the client computing device, a subsequent request to access a resource provided by one of the plurality of server computing devices, wherein the subsequent request includes a received CSRF token; and
  
  determining whether the received CSRF token can be authenticated using the HMAC key.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The CSRF defense system of claim 7, wherein the subsequent request is generated in response to a user interaction with the content item at the client computing device.
  - 9. The CSRF defense system of claim 7, further comprising a load balancer configured to route at least one of the first and second requests to a first one of the plurality of server computing devices, and to route the subsequent request to a second one of the plurality of server computing devices.
  - 10. The CSRF defense system of claim 7, wherein:
    - the content item is an HTML document that includes a fillable HTML form;
      
      the subsequent request further includes a data submission generated based on data entered into the fillable HTML form; and
      
      the CSRF defense process further comprises processing the data submission in response to determining that the received CSRF token can be authenticated using the HMAC key.
  - 11. The CSRF defense system of claim 7, wherein:
    - the subsequent request further includes a data submission generated based on a user interaction with the content item; and
      
      the CSRF defense process further comprises, in response to determining that the received CSRF token cannot be authenticated using the HMAC key, sending the client computing device an error message indicating that the data submission has not been processed.

12. A computer program product comprising a non-transitory computer-readable medium storing instructions that, when executed by one or more processors, causes a cross-site request forgery (CSRF) defense process to be carried out, the process comprising:
- requesting a content item from a server cluster;
  
  receiving the requested content item from the server cluster, wherein the received content item includes a JavaScript element;
  
  rendering the received content item in a content browser;
  
  executing the JavaScript element;
  
  as a result of executing the JavaScript element, requesting a CSRF token from the server cluster;
  
  receiving the CSRF token from the server cluster;
  
  storing the received CSRF token in the JavaScript element;
  
  making a first determination that the received CSRF token is subject to an expiration event;
  
  making a second determination that network connectivity to the server cluster is unavailable;
  
  detecting that network connectivity to the server cluster has been reestablished;
  
  requesting an updated CSRF token from the server cluster in response to detecting that network connectivity to the server cluster has been reestablished; and
  
  submitting, to the server cluster, a subsequent request for access to a resource provided by the server cluster, wherein the subsequent request includes the updated CSRF token.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The computer program product of claim 12, wherein submitting the subsequent request to the server cluster comprises:
    - monitoring a capture phase of the content browser;
      
      detecting a submit event generated in response to a user interaction with the content browser; and
      
      adding a hidden input field to the content item, wherein the hidden input field includes the updated CSRF token.
  - 14. The computer program product of claim 12, wherein storing the received CSRF token in the JavaScript element comprises storing the received CSRF token in a protected variable that is defined in the JavaScript element.
  - 15. The computer program product of claim 12, wherein the updated CSRF token is requested from the server cluster before the expiration event occurs.
  - 16. The computer program product of claim 12, wherein the content item is an HTML document that is received from a web server and rendered in a web browser.
  - 17. The computer program product of claim 12, wherein requesting the content item from the server cluster comprises submitting an initial request for the content item to a load balancer configured to route the initial request to one of a plurality of server computing devices comprising the server cluster.
  - 18. The computer program product of claim 12, wherein the JavaScript element is executed in response to rendering the content item in the content browser.
  - 19. The computer program product of claim 12, wherein the CSRF defense process further comprises caching the received content item in a memory before rendering the received content item.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Systems Incorporated (Adobe Inc.)
Inventors
Krapf, Lars, Knobloch, Gilles, Antipa, Damien, Leonardo, Christanto, Sanso, Antonio
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
Cribbs, Malcolm

Application Number

US14/820,607
Publication Number

US 20170041144A1
Time in Patent Office

655 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 2221/2119   Authenticating web pages, e...

G06F 2221/2129   Authenticate client device ...

H04L 63/10   for controlling access to d...

H04L 63/123   received data contents, e.g...

H04L 63/1466   Active attacks involving in...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3234   involving additional secure...

H04L 9/3242   involving keyed hash functi...

Cross-site request forgery defense

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-site request forgery defense

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links