Preventive Measures for Cross Site Request Forgery Attacks on Web-based Applications

 
 
 
  • Abstract
  • Keywords
  • References
  • PDF
  • Abstract


    Today’s contemporary business world has incorporated Web Services and Web Applications in its core of operating cycle nowadays and security plays a major role in the amalgamation of such services and applications with the business needs worldwide. OWASP (Open Web Application Security Project) states that the effectiveness of security mechanisms in a Web Application can be estimated by evaluating the degree of vulnerability against any of the nominated top ten vulnerabilities, nominated by the OWASP. This paper sheds light on a number of existing tools that can be used to test for the CSRF vulnerability. The main objective of the research is to identify the available solutions to prevent CSRF attacks. By analyzing the techniques employed in each of the solutions, the optimal tool can be identified. Tests against the exploitation of the vulnerabilities were conducted after implementing the solutions into the web application to check the efficacy of each of the solutions. The research also proposes a combined solution that integrates the passing of an unpredictable token through a hidden field and validating it on the server side with the passing of token through URL.

     

     


  • Keywords


    CSRF; CSRF Prevention; CSRF Tester; Hidden Token; Web Application Vulnerabilities

  • References


      [1] Webappsec (2017). Webappsec resources. https://danielmiessler.com/projects/webappsec_testing_resources

      [2] Caviglione, L., Merlo, A., & Migliardi, M. (2012). Green-aware security: Towards a new research field. Journal of Information Assurance and Security, 7(6), 338-346.

      [3] Vala, R., & Jasek, R. (2011). Security testing of web applications. Proceedings of the Annals of DAAAM and Proceedings, pp. 1533-1535.

      [4] Grossman, J. (2007). Whitehat website security statistics report. http://hhs.janlo.nl/articles/Whitehatstat.pdf.

      [5] Ahmed, N., & Abraham, A. (2013). Modeling security risk factors in a cloud computing environment. Journal of Information Assurance and Security, 8, 279-289.

      [6] Kafer, K. (2008). Cross site request forgery. Technical report, Hasso-Plattner-Institut.

      [7] OWASP. (2017). CSRF prevention cheat sheet. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet.

      [8] Akanbi, O., Abunadi, A., & Zainal, A. (2014). Phishing website classification: A machine learning approach. Journal of Information Assurance and Security, 9(5), 222-234.

      [9] Khurana, P., & Bindal, P. (2014). Vulnerabilities and defensive mechanism of CSRF. International Journal of Computer Trends and Technology, 13(4), 2231-2803.

      [10] Jovanovic, N., Kirda, E., & Kruegel, C. (2006). Preventing cross site request forgery attacks. Proceedings of the IEEE Securecomm and Workshops, 2006, pp. 1-10.

      [11] Zeller, W., & Felten, E. W. (2008). Cross-site request forgeries: Exploitation and prevention. The New York Times, pp. 1-13.

      [12] Burns, J. (2005). Cross site request forgery-An introduction to a common web application weakness. Whitepaper.

      [13] DeepDotWeb. (2015). Warning: New malicios JS using CRFST exploit via PM’s on Agora. https: //www.deepdotweb.com/2015/06/11 /warning-new-malicious-js-using-csrf-exploit-via-pms-on-agora/.

      [14] stack exchange (2017). astonishing recent belkin router auth bypass vulnerability: CSRF used to exploit? https://security.stackexchange.com/questions/100921/astonishing-recent-belkin-router-auth-bypass-vulnerability-csrf-used-to-exploit.

      [15] Mansfield-Devine, S. (2008). Anti-social networking: Exploiting the trusting environment of Web 2.0. Network Security, 2008(11), 4-7.

      [16] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., & Berners-Lee, T. (1999). Hypertext transfer protocol--HTTP/1.1 (No. RFC 2616).

      [17] Menzel, M., Wolter, C., & Meinel, C. (2007). Access control for cross-organisational web service composition. Journal of Information Assurance and Security, 2(3), 155-160.

      [18] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., & Stewart, L. (1999). HTTP authentication: Basic and digest access authentication (No. RFC 2617).

      [19] Bojinov, H., Bursztein, E., & Boneh, D. (2010). The emergence of cross channel scripting. Communications of the ACM, 53(8), 105-113.

      [20] Shaikh, R. (2013). Defending cross site reference forgery (CSRF) attacks on contemporary web applications using a Bayesian predictive model. https://sci-hub.tw/https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2226954.

      [21] Barth, A., Jackson, C., & Mitchell, J. C. (2008). Robust defenses for cross-site request forgery. Proceedings of the ACM 15th ACM Conference on Computer and Communications Security, pp. 75-88.

      [22] Jurcenoks, J. (2013). Owasp to wasc to cwe mapping correlating different industry taxonomy. Critical Watch, 7-11.


 

View

Download

Article ID: 21434
 
DOI: 10.14419/ijet.v7i4.15.21434




Copyright © 2012-2015 Science Publishing Corporation Inc. All rights reserved.