NoForge: A server-side proxy for preventing XSRF attacks

The Problem: XSRF attacks

Cross-site request forgery (XSRF or CSRF, and sometimes also called "Session Riding") is an attack against web application users that tries to trick the user into submitting unintentional requests to some web site. If the user is logged in to this web site, and if the site does not take measures against XSRF attacks (and very often, there are no such measures), the attacker can do almost anything on this site in the name of the victim user: change passwords, send emails, make forum entries, transfer money, file product orders, and so on.

The standard mitigation technique against XSRF attacks is based on the use of shared secrets (tokens), which allow the web application to distinguish intended user requests from unintended requests that were caused by an XSRF attack. However, refactoring an application such that it employs this protection technique is a laborious and error-prone task, and requires a good understanding of the protected application.

The Solution: NoForge

NoForge is research prototype that demonstrates a server-side solution for the problem of protecting a (PHP) web application and its users against XSRF attacks. NoForge acts as a proxy that inspects the communication between client and server, and dynamically augments the web pages returned to the user with a shared secret. This way, it is able to distinguish intended requests from unintended ones. In contrast to manual approaches against XSRF, NoForge can be deployed quickly, and does not require any understanding of the protected application.

Documentation / Publications

Preventing Cross Site Request Forgery Attacks.
Nenad Jovanovic, Engin Kirda, and Christopher Kruegel.
IEEE International Conference on Security and Privacy in Communication Networks (SecureComm).
Baltimore, MD, USA, August 2006.
[Download] [Technical Report]


Please note that NoForge is a research prototype. It is targeted at demonstrating the concepts of dynamic XSRF protection, and not at the use in production environments. As a result, it might contain bugs, and there are probably several points in which the current implementation could be improved. Enjoy!

Download NoForge 1.0.


NoForge was created by Nenad Jovanovic.

Last Modified: Mon Jun 11 09:54:19 CEST 2007

Secure Systems Lab / Technical University of Vienna