Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications

Document Type : Research Article

Authors

Faculty of Electrical and Computer Engineering, Malek Ashtar University of Technology, Iran.

Abstract

Cross-Site Request Forgery (CSRF) is an attack in which an infected website causes a victim's browser to perform an unwanted operation on a trusted website. The main solution to tackle this attack is to use random tokens in requests, sent by the browser. Since such tokens cannot be guessed or rebuilt by the attacker, he is not able to forge the requests. The tokens can be specific to a request, a page, or a session. Existing methods for detecting CSRF vulnerabilities mainly rely on simulating an attack by manipulating a request, submitting it to the server, and analysis of the response to the forged request. This kind of test must be repeated for each request in a web application to identify whether the application is vulnerable. Moreover, it may lead to undesired changes to the application database by submitting fake requests.
 
This paper presents a method to passively detect CSRF-resistant requests by analyzing the traffic to the target website. To this end, we formulate a set of rules to analyze the possible existence of anti-CSRF tokens. Traffic analysis based on the proposed rules outputs resistant requests due to the use of random tokens. Consequently, the requests without such tokens are deduced to be potentially vulnerable. The proposed method is implemented and evaluated by the traffic extracted from several websites. The results confirm that the method can effectively detect anti-CSRF tokens in requests and the more complete the website traffic, the more accurate the results.

Keywords

Main Subjects


[1] B. Liu, L. Shi, Z. Cai, and M. Li. Software Vulnerability Discovery Techniques: A Survey. In 2012 fourth international conference on multimedia information networking and security, pages 152--156. IEEE, 2012. [ bib | DOI ]
[2] R. D. Kombade and BB. Meshram. CSRF Vulnerabilities and Defensive Techniques. International Journal of Computer Network and Information Security, 4(1), 2012. [ bib | DOI ]
[3] H. Shahriar and M. Zulkernine. Client-Side Detection of Cross-Site Request Forgery Attacks. In 2010 IEEE 21st International Symposium on Software Reliability Engineering, pages 358--367. IEEE, 2010. [ bib | DOI ]
[4] M. Rocchetto, M. Ochoa, and M. T.Dashti. Model-based Detection of CSRF. In IFIP International Information Security Conference, pages 30--43. Springer, 2014. [ bib | DOI ]
[5] M. Rocchetto, M. Ochoa, and M. T.Dashti. A Study of the Effectiveness of CSRF Guard. In 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, pages 1269--1272. IEEE, 2011. [ bib | DOI ]
[6] K. Jayaraman, W. Du, B. Rajagopalan, and S. J. Chapin. ESCUDO: A Fine-Grained Protection Model for Web Browsers. In 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, pages 231--240. IEEE, 2010. [ bib | DOI ]
[7] OWASP Foundation. Cross-Site Request Forgery (CSRF). http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF), Date Accessed: June 3, 2018. [ bib ]
[8] S. Sadeghi and M. A. Hadavi. Black-box Detection of Resistance against CSRF Attacks (in Persian). In 15th International ISC Conference on Information Security and Cryptology, 2018. [ bib | DOI ]
[9] P. Khurana and P. Bindal. Vulnerabilities and Defensive Mechanism of CSRF. International Journal of Computer Trends and Technology, 13(4):2231--2803, 2014. [ bib | DOI ]
[10] M. S. Siddiqui and D. Verma. Cross-site request forgery: A common web application weakness. In 2011 IEEE 3rd International Conference on Communication Software and Networks, pages 538--543. IEEE, 2010. [ bib | DOI ]
[11] T. Oda, G. Wurster, P. C. Van Oorschot, and A. Somayaji. SOMA: mutual approval for included content in web pages. In Proceedings of the 15th ACM conference on Computer and communications security, page 89–98. ACM, 2008. [ bib | DOI ]
[12] E. Y. Chen, J. Bau, C. Reis, A. Barth, and C. Jackson. App isolation: get the security of multiple browsers with just one. In Proceedings of the 18th ACM conference on Computer and communications security, pages 227--238. ACM, 2011. [ bib | DOI ]
[13] M. Bugliesi, S. Calzavara, R. Focardi, W. Khan, and M. Tempesta. Provably Sound Browser-Based Enforcement of Web Session Integrity. In 2014 IEEE 27th Computer Security Foundations Symposium, pages 366--380. IEEE, 2011. [ bib | DOI ]
[14] S. Calzavara, R. Focardi, M. Squarcina, and M. Tempesta. Surviving the Web: A Journey into Web Session Security. ACM Computing Surveys (CSUR), 20(1):1--34, 2017. [ bib | DOI ]
[15] G. Pellegrino, M. Johns, S. Koch, M. Backes, and C. Rossow. Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 1757--1771. ACM, 2017. [ bib | DOI ]
[16] M. Srokosz, D. Rusinek, and B. Ksiezopolski. A new WAF-based architecture for protecting web applications against CSRF attacks in malicious environment. In 2018 Federated Conference on Computer Science and Information Systems (FedCSIS), pages 391--395. IEEE, 2018. [ bib | DOI ]
[17] S. Calzavara, M. Conti, R. Focardi, A. Rabitti, and G. Tolomei. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery. IEEE Security & Privacy, 18(3):8--16, 2020. [ bib | DOI ]
[18] S. Calzavara, M. Conti, R. Focardi, A. Rabitti, and G. Tolomei. Mitch: A machine learning approach to the black-box detection of CSRF vulnerabilities. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P), pages 528--543. IEEE, 2019. [ bib | DOI ]