The study into "Cross-Site Request Forgery" attacks within the framework of analysis of software vulnerabilities

Автор: Barabanov A.V., Lavrov A.I., Markov A.S., Polotnyanschikov I.A., Tsirlov V.L.

Журнал: Труды Института системного программирования РАН @trudy-isp-ran

Статья в выпуске: 5 т.29, 2017 года.

Бесплатный доступ

Nowadays, web applications are one of the most popular types of target of evaluation within the framework of the information security certification. The relevance of the study of web applications vulnerabilities during information security certification is due to the fact that web technologies are actively used while producing modern information systems, including information systems critical from the information security point of view, and on the other hand carrying out basic attacks on such information systems do not require violators of high technical competence, since data on typical vulnerabilities and attacks, including the attacking tools are heavily represented in publicly available sources of information, and the information systems themselves are usually available from public communication networks. The paper presents the results of a study of the security of web applications that are target of evaluation within the framework of certification for information security requirements against cross-site requests forgery attacks. The results of systematization and generalization of information about the cross-site requests forgery attacks and security controls used by web application developers are presented. The results of experimental studies of 10 web applications that have passed certification tests against information security requirements are presented. The results of experimental studies have shown that most developers do not pay enough attention to protection from cross-site request forgery attack - 7 out of 10 web applications tested have been vulnerable to this type of attack. Based on the results of processing the results of experimental studies, the distribution of security controls used in web applications and identified vulnerabilities by programming languages were obtained. Recommendations regarding the protection of web applications against cross-site request forgery attack for developers planning to certify their software are formulated.

Еще

Information security, software security, analysis of vulnerabilities, web-application, csrf-attack

Короткий адрес: https://sciup.org/14916481

IDR: 14916481 | DOI: 10.15514/ISPRAS-2017-29(5)-1

Список литературы The study into "Cross-Site Request Forgery" attacks within the framework of analysis of software vulnerabilities

H. Selim, S. Tayeb, Y. Kim, J. Zhan, and M. Pirouz. Vulnerability Analysis of Iframe Attacks on Websites. In Proceedings of the The 3rd Multidisciplinary International Social Networks Conference on SocialInformatics 2016, Data Science 2016 (MISNC, SI, DS 2016). ACM, New York, NY, USA, Article 45, pp. 1-6, August 2016 DOI: 10.1145/2955129.2955180
W. Du, K. Jayaraman, X. Tan, T. Luo, and S. Chapin. Position paper: why are there so many vulnerabilities in web applications? In Proceedings of the 2011 New Security Paradigms Workshop (NSPW '11). ACM, New York, NY, USA, pp. 83-94. 2011 DOI: 10.1145/2073276.2073285
A. Barabanov, A. Markov, A. Fadin, V. Tsirlov, I. Shakhalov. Synthesis of Secure Software Development Controls. In Proceedings of the 8th International Conference on Security of Information and Networks (Sochi, Russia, September 8-10, 2015). SIN '15. ACM, New York, NY, USA, pp. 93-97. 2015 DOI: 10.1145/2799979.2799998
A.V. Barabanov, A.S. Markov, V.L. Tsirlov. Methodological Framework for Analysis and Synthesis of a Set of Secure Software Development Controls. Journal of Theoretical and Applied Information Technology. 2016. V. 88. No 1, pp. 77-88.
N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In the IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks (Securecomm), pp. 1-10, September 2006.
A. Czeskis, A. Moshchuk, T. Kohno, and H.J. Wang. Lightweight server support for browser-based CSRF protection. In Proceedings of the 22nd international conference on World Wide Web (WWW '13). ACM, New York, NY, USA, 2013, pp. 273-284 DOI: 10.1145/2488388.2488413
K. Jayaraman, P. G. Talaga, G. Lewandowski, S.J. Chapin, and M. Hafiz. Modeling user interactions for (fun and) profit: preventing request forgery attacks on web applications. In Proceedings of the 16th Conference on Pattern Languages of Programs (PLoP '09). ACM, New York, NY, USA, Article 16, pp. 1-9. August 2009 DOI: 10.1145/1943226.1943246
A. Barth, C. Jackson, and J.C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security (CCS '08). ACM, New York, NY, USA, pp. 75-88. October 2008 DOI: 10.1145/1455770.1455782
M. Zhou, P. Bisht, and V.N. Venkatakrishnan. Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation. In Proceedings of the 6th international conference on Information systems security (ICISS'10), pp. 96-110. 2010.
E. Shernan, H. Carter, D. Tian, P. Traynor, and K. Butler. More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2015), pp. 239-260, June 2015 DOI: 10.1007/978-3-319-20550-2_13
H. Shahriar and M. Zulkernine. Client-Side Detection of Cross-Site Request Forgery Attacks. In Proceedings of the 2010 IEEE 21st International Symposium on Software Reliability Engineering (ISSRE '10). IEEE Computer Society, Washington, DC, USA, pp. 358-367. November 2010 DOI: 10.1109/ISSRE.2010.12
P.D. Ryck, L. Desmet, T. Heyman, F. Piessens, and W. Joosen. CsFire: transparent client-side mitigation of malicious cross-domain requests. In Proceedings of the Second international conference on Engineering Secure Software and Systems (ESSoS'10), pp. 18-34. 2010 DOI: 10.1007/978-3-642-11747-3_2
R. Pelizzi and R. Sekar. A server-and browser-transparent CSRF defense for web 2.0 applications. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC '11). ACM, New York, NY, USA, pp. 257-266. December 2011 DOI: 10.1145/2076732.2076768
L. Xing, Y. Zhang, and S. Chen. A client-based and server-enhanced defense mechanism for cross-site request forgery. In Proceedings of the 13th international conference on Recent advances in intrusion detection (RAID'10), pp. 484-485. 2010.
N. Gelernter and A. Herzberg. Cross-Site Search Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, pp. 1394-1405. October 2015 DOI: 10.1145/2810103.2813688
E. Z. Yang, D. Stefan, J. Mitchell, D. Mazières, P. Marchenko, and B. Karp. Toward principled browser security. In Proceedings of the 14th USENIX conference on Hot Topics in Operating Systems (HotOS'13). USENIX Association, Berkeley, CA, USA, pp. 17-17. 2013.
W. Maes, T. Heyman, L. Desmet, and W. Joosen. Browser protection against cross-site request forgery. In Proceedings of the first ACM workshop on Secure execution of untrusted code (SecuCode '09). ACM, New York, NY, USA, pp. 3-10. November 2009 DOI: 10.1145/1655077.1655081
A. Barabanov, A. Markov, V. Tsirlov. Procedure for substantiated development of measures to design secure software for automated process control systems. In Proceedings of the International Siberian Conference on Control and Communications, SIBCON 2016, IEEE, 1-4. June 2016 DOI: 10.1109/SIBCON.2016.7491660
X. Li and Y.Xue. A survey on server-side approaches to securing web applications. ACM Comput. Surv., 46, 4, Article 54 (March 2014), 29 pages. April 2014 DOI: 10.1145/2541315
A.S. Markov, V.L. Tsirlov. Experience in identifying vulnerabilities in foreign software products. Voprosy kiberbezopasnosti . 2013. No 1(1), pp. 42-48..

Еще

Статья научная