11)Consider the following CSRF attack: ww.attacker.com GET /blog HTTP/1.1 POST /transfer HTTP/1.1 Referer: http://www.attacker.com/blog recipient attacker&amount $100 Cookle: SessionID=523FA4cd2E HTTP/1.1 200 OK Transfer completel www.bank.com a. One possible defense that the bank could adopt to block the attack above is to check the referer to ensure that it comes from the bank. Describe a plausible situation where this defense would NOT work. b. Describe a more robust defense that the bank could adopt to block the CSRF attack without experiencing the limitation identified in part (a), and explain how it would block the attack.

Database System Concepts
7th Edition
ISBN:9780078022159
Author:Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Chapter1: Introduction
Section: Chapter Questions
Problem 1PE
icon
Related questions
Question
11) Consider the following CSRF attack:
ww.attacker.com
GET /blog HTTP/1.1
<form action=https://www.bank.com/transfer
method-POST target-invisibleframe>
<input name recipient value-attacker>
<input name amount value-$100>
</form>
<script>document.forms[0].submit()</script>
POST /transfer HTTP/1.1
Referer: http://www.attacker.com/blog
recipient attacker&amount $100
Cookie: SessionID=523FA4cd2E
HTTP/1.1 200 OK
Transfer complete!
T
www.bank.com
a. One possible defense that the bank could adopt to block the attack above is to check the referer
to ensure that it comes from the bank. Describe a plausible situation where this defense would NOT
work.
b. Describe a more robust defense that the bank could adopt to block the CSRF attack without
experiencing the limitation identified in part (a), and explain how it would block the attack.
Transcribed Image Text:11) Consider the following CSRF attack: ww.attacker.com GET /blog HTTP/1.1 <form action=https://www.bank.com/transfer method-POST target-invisibleframe> <input name recipient value-attacker> <input name amount value-$100> </form> <script>document.forms[0].submit()</script> POST /transfer HTTP/1.1 Referer: http://www.attacker.com/blog recipient attacker&amount $100 Cookie: SessionID=523FA4cd2E HTTP/1.1 200 OK Transfer complete! T www.bank.com a. One possible defense that the bank could adopt to block the attack above is to check the referer to ensure that it comes from the bank. Describe a plausible situation where this defense would NOT work. b. Describe a more robust defense that the bank could adopt to block the CSRF attack without experiencing the limitation identified in part (a), and explain how it would block the attack.
Expert Solution
steps

Step by step

Solved in 4 steps

Blurred answer
Knowledge Booster
VLAN
Learn more about
Need a deep-dive on the concept behind this application? Look no further. Learn more about this topic, computer-science and related others by exploring similar questions and additional content below.
Similar questions
Recommended textbooks for you
Database System Concepts
Database System Concepts
Computer Science
ISBN:
9780078022159
Author:
Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:
McGraw-Hill Education
Starting Out with Python (4th Edition)
Starting Out with Python (4th Edition)
Computer Science
ISBN:
9780134444321
Author:
Tony Gaddis
Publisher:
PEARSON
Digital Fundamentals (11th Edition)
Digital Fundamentals (11th Edition)
Computer Science
ISBN:
9780132737968
Author:
Thomas L. Floyd
Publisher:
PEARSON
C How to Program (8th Edition)
C How to Program (8th Edition)
Computer Science
ISBN:
9780133976892
Author:
Paul J. Deitel, Harvey Deitel
Publisher:
PEARSON
Database Systems: Design, Implementation, & Manag…
Database Systems: Design, Implementation, & Manag…
Computer Science
ISBN:
9781337627900
Author:
Carlos Coronel, Steven Morris
Publisher:
Cengage Learning
Programmable Logic Controllers
Programmable Logic Controllers
Computer Science
ISBN:
9780073373843
Author:
Frank D. Petruzella
Publisher:
McGraw-Hill Education