The Study into Cross-Site Request Forgery Attacks within the Framework of Analysis of Software Vulnerabilities

Nowadays, web applications are one of the most popular types of target of evaluation within the framework of the information security certification. The relevance of the study of web applications vulnerabilities during information security certification is due to the fact that web technologies are actively used while producing modern information systems, including information systems critical from the information security point of view, and on the other hand carrying out basic attacks on such information systems do not require violators of high technical competence, since data on typical vulnerabilities and attacks, including the attacking tools are heavily represented in publicly available sources of information, and the information systems themselves are usually available from public communication networks. The paper presents the results of a study of the security of web applications that are target of evaluation within the framework of certification for information security requirements against cross-site requests forgery attacks. The results of systematization and generalization of information about the cross-site requests forgery attacks and security controls used by web application developers are presented. The results of experimental studies of 10 web applications that have passed certification tests against information security requirements are presented. The results of experimental studies have shown that most developers do not pay enough attention to protection from cross-site request forgery attack - 7 out of 10 web applications tested have been vulnerable to this type of attack. Based on the results of processing the results of experimental studies, the distribution of security controls used in web applications and identified vulnerabilities by programming languages were obtained. Recommendations regarding the protection of web applications against cross-site request forgery attack for developers planning to certify their software are formulated.

information security, software security, analysis of vulnerabilities, web-application, CSRF-attack

1. H. Selim, S. Tayeb, Y. Kim, J. Zhan, and M. Pirouz. Vulnerability Analysis of Iframe Attacks on Websites. In Proceedings of the The 3rd Multidisciplinary International Social Networks Conference on SocialInformatics 2016, Data Science 2016 (MISNC, SI, DS 2016). ACM, New York, NY, USA, Article 45, pp. 1-6, August 2016. DOI: 10.1145/2955129.2955180.

2. W. Du, K. Jayaraman, X. Tan, T. Luo, and S. Chapin. Position paper: why are there so many vulnerabilities in web applications? In Proceedings of the 2011 New Security Paradigms Workshop (NSPW '11). ACM, New York, NY, USA, pp. 83-94. 2011. DOI: 10.1145/2073276.2073285.

3. A. Barabanov, A. Markov, A. Fadin, V. Tsirlov, I. Shakhalov. Synthesis of Secure Software Development Controls. In Proceedings of the 8th International Conference on Security of Information and Networks (Sochi, Russia, September 8-10, 2015). SIN '15. ACM, New York, NY, USA, pp. 93-97. 2015. DOI: 10.1145/2799979.2799998.

4. A.V. Barabanov, A.S. Markov, V.L. Tsirlov. Methodological Framework for Analysis and Synthesis of a Set of Secure Software Development Controls. Journal of Theoretical and Applied Information Technology. 2016. V. 88. No 1, pp. 77-88.

5. N. Jovanovic, E. Kirda, and C. Kruegel. Preventing cross site request forgery attacks. In the IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks (Securecomm) , pp. 1-10, September 2006.

6. A. Czeskis, A. Moshchuk, T. Kohno, and H.J. Wang. Lightweight server support for browser-based CSRF protection. In Proceedings of the 22nd international conference on World Wide Web (WWW '13). ACM, New York, NY, USA, 2013, pp. 273-284. DOI: 10.1145/2488388.2488413.

7. K. Jayaraman, P. G. Talaga, G. Lewandowski, S.J. Chapin, and M. Hafiz. Modeling user interactions for (fun and) profit: preventing request forgery attacks on web applications. In Proceedings of the 16th Conference on Pattern Languages of Programs (PLoP '09). ACM, New York, NY, USA, Article 16, pp. 1-9. August 2009. DOI: 10.1145/1943226.1943246.

8. A. Barth, C. Jackson, and J.C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security (CCS '08). ACM, New York, NY, USA, pp. 75-88. October 2008. DOI: 10.1145/1455770.1455782.

9. M. Zhou, P. Bisht, and V.N. Venkatakrishnan. Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation. In Proceedings of the 6th international conference on Information systems security (ICISS'10), pp. 96-110. 2010.

10. E. Shernan, H. Carter, D. Tian, P. Traynor, and K. Butler. More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2015), pp. 239-260, June 2015. DOI: 10.1007/978-3-319-20550-2_13

11. H. Shahriar and M. Zulkernine. Client-Side Detection of Cross-Site Request Forgery Attacks. In Proceedings of the 2010 IEEE 21st International Symposium on Software Reliability Engineering (ISSRE '10). IEEE Computer Society, Washington, DC, USA, pp. 358-367. November 2010. DOI: 10.1109/ISSRE.2010.12.

12. P.D. Ryck, L. Desmet, T. Heyman, F. Piessens, and W. Joosen. CsFire: transparent client-side mitigation of malicious cross-domain requests. In Proceedings of the Second international conference on Engineering Secure Software and Systems (ESSoS'10), pp. 18-34. 2010. DOI: 10.1007/978-3-642-11747-3_2.

13. R. Pelizzi and R. Sekar. A server- and browser-transparent CSRF defense for web 2.0 applications. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC '11). ACM, New York, NY, USA, pp. 257-266. December 2011. DOI: 10.1145/2076732.2076768.

14. L. Xing, Y. Zhang, and S. Chen. A client-based and server-enhanced defense mechanism for cross-site request forgery. In Proceedings of the 13th international conference on Recent advances in intrusion detection (RAID'10), pp. 484-485. 2010.

15. N. Gelernter and A. Herzberg. Cross-Site Search Attacks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, pp. 1394-1405. October 2015. DOI: 10.1145/2810103.2813688.

16. E. Z. Yang, D. Stefan, J. Mitchell, D. Mazières, P. Marchenko, and B. Karp. Toward principled browser security. In Proceedings of the 14th USENIX conference on Hot Topics in Operating Systems (HotOS'13). USENIX Association, Berkeley, CA, USA, pp. 17-17. 2013.

17. W. Maes, T. Heyman, L. Desmet, and W. Joosen. Browser protection against cross-site request forgery. In Proceedings of the first ACM workshop on Secure execution of untrusted code (SecuCode '09). ACM, New York, NY, USA, pp. 3-10. November 2009. DOI: 10.1145/1655077.1655081.

18. A. Barabanov, A. Markov, V. Tsirlov. Procedure for substantiated development of measures to design secure software for automated process control systems. In Proceedings of the International Siberian Conference on Control and Communications, SIBCON 2016, IEEE, 1-4. June 2016. DOI: 10.1109/SIBCON.2016.7491660.

19. X. Li and Y.Xue. A survey on server-side approaches to securing web applications. ACM Comput. Surv., 46, 4, Article 54 (March 2014), 29 pages. April 2014. DOI: 10.1145/2541315

20. A.S. Markov, V.L. Tsirlov. Experience in identifying vulnerabilities in foreign software products. Voprosy kiberbezopasnosti [Cybersecurity Issues]. 2013. No 1(1), pp. 42-48. (In Russian).