Preventive Measures for Cross Site Request Forgery Attacks on Web-based Applications

  • Authors

    • Emil Semastin
    • Sami Azam
    • Bharanidharan Shanmugam
    • Krishnan Kannoorpatti
    • Mirjam Jonokman
    • Ganthan Narayana Samy
    • Sundresan Peruma
    2018-10-07
    https://doi.org/10.14419/ijet.v7i4.15.21434
  • CSRF, CSRF Prevention, CSRF Tester, Hidden Token, Web Application Vulnerabilities

  • Today’s contemporary business world has incorporated Web Services and Web Applications in its core of operating cycle nowadays and security plays a major role in the amalgamation of such services and applications with the business needs worldwide. OWASP (Open Web Application Security Project) states that the effectiveness of security mechanisms in a Web Application can be estimated by evaluating the degree of vulnerability against any of the nominated top ten vulnerabilities, nominated by the OWASP. This paper sheds light on a number of existing tools that can be used to test for the CSRF vulnerability. The main objective of the research is to identify the available solutions to prevent CSRF attacks. By analyzing the techniques employed in each of the solutions, the optimal tool can be identified. Tests against the exploitation of the vulnerabilities were conducted after implementing the solutions into the web application to check the efficacy of each of the solutions. The research also proposes a combined solution that integrates the passing of an unpredictable token through a hidden field and validating it on the server side with the passing of token through URL.

     

     

  • References

    1. [1] Webappsec (2017). Webappsec resources. https://danielmiessler.com/projects/webappsec_testing_resources

      [2] Caviglione, L., Merlo, A., & Migliardi, M. (2012). Green-aware security: Towards a new research field. Journal of Information Assurance and Security, 7(6), 338-346.

      [3] Vala, R., & Jasek, R. (2011). Security testing of web applications. Proceedings of the Annals of DAAAM and Proceedings, pp. 1533-1535.

      [4] Grossman, J. (2007). Whitehat website security statistics report. http://hhs.janlo.nl/articles/Whitehatstat.pdf.

      [5] Ahmed, N., & Abraham, A. (2013). Modeling security risk factors in a cloud computing environment. Journal of Information Assurance and Security, 8, 279-289.

      [6] Kafer, K. (2008). Cross site request forgery. Technical report, Hasso-Plattner-Institut.

      [7] OWASP. (2017). CSRF prevention cheat sheet. https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet.

      [8] Akanbi, O., Abunadi, A., & Zainal, A. (2014). Phishing website classification: A machine learning approach. Journal of Information Assurance and Security, 9(5), 222-234.

      [9] Khurana, P., & Bindal, P. (2014). Vulnerabilities and defensive mechanism of CSRF. International Journal of Computer Trends and Technology, 13(4), 2231-2803.

      [10] Jovanovic, N., Kirda, E., & Kruegel, C. (2006). Preventing cross site request forgery attacks. Proceedings of the IEEE Securecomm and Workshops, 2006, pp. 1-10.

      [11] Zeller, W., & Felten, E. W. (2008). Cross-site request forgeries: Exploitation and prevention. The New York Times, pp. 1-13.

      [12] Burns, J. (2005). Cross site request forgery-An introduction to a common web application weakness. Whitepaper.

      [13] DeepDotWeb. (2015). Warning: New malicios JS using CRFST exploit via PM’s on Agora. https: //www.deepdotweb.com/2015/06/11 /warning-new-malicious-js-using-csrf-exploit-via-pms-on-agora/.

      [14] stack exchange (2017). astonishing recent belkin router auth bypass vulnerability: CSRF used to exploit? https://security.stackexchange.com/questions/100921/astonishing-recent-belkin-router-auth-bypass-vulnerability-csrf-used-to-exploit.

      [15] Mansfield-Devine, S. (2008). Anti-social networking: Exploiting the trusting environment of Web 2.0. Network Security, 2008(11), 4-7.

      [16] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., & Berners-Lee, T. (1999). Hypertext transfer protocol--HTTP/1.1 (No. RFC 2616).

      [17] Menzel, M., Wolter, C., & Meinel, C. (2007). Access control for cross-organisational web service composition. Journal of Information Assurance and Security, 2(3), 155-160.

      [18] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., & Stewart, L. (1999). HTTP authentication: Basic and digest access authentication (No. RFC 2617).

      [19] Bojinov, H., Bursztein, E., & Boneh, D. (2010). The emergence of cross channel scripting. Communications of the ACM, 53(8), 105-113.

      [20] Shaikh, R. (2013). Defending cross site reference forgery (CSRF) attacks on contemporary web applications using a Bayesian predictive model. https://sci-hub.tw/https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2226954.

      [21] Barth, A., Jackson, C., & Mitchell, J. C. (2008). Robust defenses for cross-site request forgery. Proceedings of the ACM 15th ACM Conference on Computer and Communications Security, pp. 75-88.

      [22] Jurcenoks, J. (2013). Owasp to wasc to cwe mapping correlating different industry taxonomy. Critical Watch, 7-11.

  • Downloads

  • How to Cite

    Semastin, E., Azam, S., Shanmugam, B., Kannoorpatti, K., Jonokman, M., Narayana Samy, G., & Peruma, S. (2018). Preventive Measures for Cross Site Request Forgery Attacks on Web-based Applications. International Journal of Engineering & Technology, 7(4.15), 130-134. https://doi.org/10.14419/ijet.v7i4.15.21434