Avoiding Cross Site Request Forgery (CSRF) Attack Using TwoFish Security Approach
Wasim Akram Shaik, Rajesh Pasupuleti "Avoiding Cross Site Request Forgery (CSRF) Attack Using TwoFish Security Approach". International Journal of Computer Trends and Technology (IJCTT) V25(2):68-72, July 2015. ISSN:2231-2803. www.ijcttjournal.org. Published by Seventh Sense Research Group.
Abstract -
Security is the most important factor for online users to secure their confidential data. Users are nervous about the security risks of the internet. Identifying Vulnerability has been major challenge to each user in order to rectify it. This paper addresses such type of vulnerability named as Cross Site Request Forgery attack. Basically, an attacker will use CSRF attack to trick a victim into accessing a phishing website or clicking a url link that contains malicious program which performs unwanted action that causes loss of user data. This type of attack is very effectual and dangerous to prevent it. An earlier methodology such as visual cryptography is used to avoid these CSRF attacks. Unfortunately this approach is timeconsuming, as they require manual effort to integrate defense techniques which makes low accuracy rate and it not fulfill the need of the users. CSRF attacks are possible because websites are authenticated by the web browser, not the user. A novel approach “Avoiding CSRF attack using TwoFish security” is proposed to avoid these attacks by which the user can validate the website in an understandable manner. This TwoFish security is an enhanced way to validate the web page and performs authentication in two phases; Firstly MD5 encryption is performed in order to calculate the hash values for url and secondly image based authentication is provided to validate the image of respective url. By using this strategy, the user can easily recognize whether a website is a genuine website or vulnerable website. We are providing experimental results that demonstrate the use of our prototype that provides service oriented authenticated websites to respective clients.
References
[1] Anjali Jose, S.vinoth lakshmi “Web Security using visual Cryptography against Phising” Middle East Journal of Scientific Research, ISSN 1990-9233, 2014.
[2] W. Zeller and E. W. Felten, “Cross-Site Request forgery Forgeries: Exploitation and prevention,” technical report,Princeton university, 2008.
[3] Grossman, “Cross Site Request Forgery „The Sleeping Giant of Website Vulnerabilities?”, in RSA Conference, San Francisco, April 2008.
[4] Xiaoli Lin, Pavol Zavarsky, Ron Ruhl, Dale Lindskog,“Threat Modeling for CSRF Attacks”, the International Conference on Computational Science and Engineering, 2009.
[5] J.Burns. Cross Site Reference Forgery: An introduction to common web application weakness. www.isecpartners.com/documents/ SRF_ paper.Pdf.
[6] A survey on Cross-Site Request Forgery attack preventive measures to fully exploit the attacks in www.owasp.org.index.php/cross__ site_request_forgery, may,2009
[7] Kombade, Rupali D., and B. B. Meshram. "CSRF Vulnerabilities and Defensive Techniques." International Journal of Computer Network and information Security (IJCNIS) 4.1 (2012): 31.
[8] OWASP. https://www.owasp.org/index.php/top_10 2013_top_10.
[9] Mitchell. RobustDefenses for cross site Request forgery.In.CSS 2008.Feil, Renaud, and Louis Nyffenegger. "Evolution of cross site request Forgery attacks." Journal in Computer Virology 4.1 (2008): 61-71.
[10] APWG, 2006 Origins of the Word „Phishing?. Define phishing attacks to explore security http://www.antiphishing.org/word_phish.htm
[11] Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why phishing works. In Proceedings of the Conference on Human Factors in computing systems (CHI), 2006.
[12] “Phishing Email Filtering Techniques: A Survey” by P.Rohini, K.Ramya, Volume 17, Number 1, Nov-2014, ISSN:2231-2803.
[13] E.W. Felten, D. Balfanz, D. Dean, and D. S. Wallach.Web Spoofing: An Internet Con Game. In 20th National Information Systems Security Conference, October 1997(p attacks).
[14] D.Geer, “Security Technologies Go Phishing, ”Computer Archive, Volume 38, Issue 6, June 2005, pp18-21
[15] “Detecting phishing attacks in purchasing process through pro-active Approach” by the s.arun, D.Anand, T.selvaprabhu, anna university, 2012.
[16] Sun Bin, Wen Qiaoyan and Liang Xiaoying, 2010. A DNS based AntiPhishing Approach, in Proceedings of IEEESecond International conference on Networks Security, Wireless Communications and Trusted Computing.
[17] “A new framework for Thwarting phishing attacks based on Visual Cryptography” by Kamalakar Sanka, Betam Suresh, Volume 4, Issue8 ,August 2013,ISSN: 2231-2803.
[18] CAPTCHA:Using Hard AI problems for security Luis von Ahml, Manuel Blum1,Nicholas J.Hopper1, and John Langford
[19] Anthony, Y. and Fu, Liu Wenyin, October/December 2006. Detecting Phishing Web Pages with Visual Similarity Assessment Based on this Earth Mover?s distance (EMD), IEEE Transactions on Dependable and Secure Computing, 3(4): 301-311
[20] Tainan Li. Fuye Han, Shuai Ding and Zhen Chen, 2011.LARX: Large scale Anti-phishing by Retrospective Data-Exploring Based on cloud computing Platform, in Proceedings of IEE-20th International conference on computer communications and network.
[21] Nirmal, K., S.E.V. Ewards and K. Geetha, 2010. Maximizing online security by providing a 3 factor authentication system to counter-attack phishing Proceedings of IEEE- International Conference on emerging trends in Robotics and Communication Technologies.
Keywords
Security, Vulnerability, CSRF attack, MD5 algorithm, TwoFish, Phishing.