Abstract [eng] |
During last few years count of Internet users was increasing rapidly. Every year there are a lot of new users and Internet is becoming vital part of our life. Since amount of Internet users is growing so fast, this was noticed by the business as well. Every day we can see new web based systems created allowing us shop, communicate or just spend time online. With increasing popularity of cloud computing, more and more people and companies moving their resources and data to cloud. All this data is usually accessed through web systems. Since there are so many users on the Internet everybody can notice that numbers of hackers are increasing rapidly as well. The main objective is user’s data. One of the way how data could be retrieved is using CSRF attacks. The main purpose of this attack is to force logged in user’s browser to make some actions on behalf of that user without even noticing him. The main goal of this attacks it not breaking system itself, but rather exploiting current bugs in the system. There are two ways to prevent these attacks. Either the user could use protection tools, even though this is not very sufficient, or programmers could try to remove all bugs in the system which allows CSRF attack to take place. Hardening security on the system itself is much more effective than any method user could use himself. User should not be forced to use extra tools to improve security. There could be found a lot of different ways how programmers try to protect the system. The most popular one is by adding extra random field to form. Random value is generated once user is authenticated and is added to every form which is sent using POST method to server. This value must be truly random, otherwise attacker might be able to guess it. At this work I have analyzed all possibilities which could be used to protect the system, their advantages and disadvantages. I have also analyzed the most popular frameworks which could be used to protect system from CSRF attacks. After taking into consideration all the methods which could be used to protect the system, I came up with new method which could improve protection from CSRF attacks. |