The Journal of the Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회논문지)

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Vulnerability Defense of On-Zeroboard using CSRF Attack

CSRF 공격기법에 대한 제로보드상의 취약점 방어

  • Kim, Do-Won (Dept. of Computer & Information Communications Engineering, Hongik University) ;
  • Bae, Su-Yeon (Dept. of Computer & Information Communications Engineering, Hongik University) ;
  • An, Beongku (Dept. of Computer & Information Communications Engineering, Hongik University)
  • 김도원 (홍익대학교 컴퓨터정보통신공학과) ;
  • 배수연 (홍익대학교 컴퓨터정보통신공학과) ;
  • 안병구 (홍익대학교 컴퓨터정보통신공학과)
  • Received : 2014.04.04
  • Accepted : 2014.08.08
  • Published : 2014.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Zeroboard is a public bulletin board that can support PHP and MySQL. It has been used by many people because it is easy to use, but there is no more updates after Zeroboard4. So, there is a problem that its administrator will have nothing to do about it if zeroboard has a vulnerability. In this paper, we will discuss about CSRF(Cross Site request Forgery) which is developed and expanded by XSS(Cross Site Scripting). Also, we will find CSRF attacks and suggest an alternative method using VM-ware. The main features and contributions of the proposed method are as follows. First, make an environment construction using VM-ware and other tools. Second, analyze and prepare vulnerabilities using Proxy server. Performance evaluation will be conducted by applying possible countermeasure.

제로보드는 PHP와 MySQL이 지원되는 공개용 게시판이다. 초보자들도 쉽게 사용할 수 있기 때문에 많이 사용되고 있으나 제로보드4를 마지막으로 더 이상의 업데이트는 없다고 알려져 있다. 때문에 취약점이 발생한다면 이를 사용하는 게시판 관리자들은 속수무책으로 당할 수밖에 없는 문제점이 존재한다. 본 논문에서는 XSS에서 확장하고 발전된 CSRF 공격에 대하여 알아보고, VM 웨어를 이용한 환경구축을 통해 대표적으로 게시판에서 이루어지는 CSRF의 공격방법과 그에 대한 대안방법을 제시한다. 제안된 방법(공격방법, 대안방법)의 주요한 특징 및 기여도는 다음과 같다. 첫째, VM 웨어를 비롯한 여러 tool들을 이용해 환경구축을 한다. 둘째, 프록시 서버를 사용해 취약점을 분석해 이에 대비한다. 성능평가는 고안한 대응방안을 적용시켜 그 성능을 평가한다.

Keywords

References

  1. http://www.vmware-com/support/ws3/doc/whatsnew_ws.html
  2. http://www.virusbtn.com/magazine/overview/index,xml
  3. ftp://ftp.cs.uta.fi/pub/vru/documents/test1997.zip
  4. Boyan Chen, Pavol Zavarsky, Ron Ruhl and Dale Lindskog, "A Study of the Effectiveness of CSRF Guard," IEEE Proc. of PASSAT/SocialCom 2011, October 2011.
  5. Xiaoli Lin, Pavol Zavarsky, Ron Ruhl, Dale Lindskog, "Threat Modeling for CSRF Attacks," IEEE Proc. of CSE2009, pp.486-491, August 2009.
  6. Hossein Saiedian, Dan S. Broyles, "Security Vulnerabilities in the Same-Origin Policy: Implications and Alternatives," Computer, vol.44, issue9, pp.29 -36, September 2011.
  7. Tatiana Alexenko, Mark Jenne, Suman Deb Roy, Wenjun Zeng, "Cross-Site Request Forgery: Attack and Defense," IEEE Proc. of CCNC2010, pp.1-2, January 2010.
  8. Yin-Chang Sung, Michael Cheng Yi Cho, Chi-Wei Wang, Chia-Wei Hsu, Shiuhpyng Winston Shieh, "Light-Weight CSRF Protection by Labeling User-Created Contents," IEEE Proc. of SERE 2013, pp.60-69, June 2013.
  9. Nenad Jovanovic, Engin Kirda, and Christopher Kruegel, "Preventing Cross Site Request Forgery Attacks," IEEE Proc. of Securecomm and Workshops 2006, pp.1-10, August 2006.
  10. Soeui Kim, Duri Choi, Beongku An, "Detection and Prevention Method by Analyzing Malignant Code of Malignant Bot," JIIBC, pp.199-207, vol.13, no.2, April 2013. https://doi.org/10.7236/JIIBC.2013.13.2.199