Visible to the public Large-Scale Analysis Detection of Authentication Cross-Site Request Forgeries

TitleLarge-Scale Analysis Detection of Authentication Cross-Site Request Forgeries
Publication TypeConference Paper
Year of Publication2017
AuthorsSudhodanan, A., Carbone, R., Compagna, L., Dolgin, N., Armando, A., Morelli, U.
Conference Name2017 IEEE European Symposium on Security and Privacy (EuroS P)
Date Publishedapr
KeywordsAuth-CSRF, authentication, authentication cross-site request forgery detection, authentication CSRF, Browsers, CSRF-checker, eBay, experimental analysis, Google, History, Human Behavior, identity management functionalities, large-scale analysis, Metrics, Microsoft, open-source penetration testing tool OWASP ZAP, pubcrawl, public domain software, Resiliency, security of data, security testing strategies, Testing, Web applications, Web Browser Security, Web site authentication, Web sites
AbstractCross-Site Request Forgery (CSRF) attacks are one of the critical threats to web applications. In this paper, we focus on CSRF attacks targeting web sites' authentication and identity management functionalities. We will refer to them collectively as Authentication CSRF (Auth-CSRF in short). We started by collecting several Auth-CSRF attacks reported in the literature, then analyzed their underlying strategies and identified 7 security testing strategies that can help a manual tester uncover vulnerabilities enabling Auth-CSRF. In order to check the effectiveness of our testing strategies and to estimate the incidence of Auth-CSRF, we conducted an experimental analysis considering 300 web sites belonging to 3 different rank ranges of the Alexa global top 1500. The results of our experiments are alarming: out of the 300 web sites we considered, 133 qualified for conducting our experiments and 90 of these suffered from at least one vulnerability enabling Auth-CSRF (i.e. 68%). We further generalized our testing strategies, enhanced them with the knowledge we acquired during our experiments and implemented them as an extension (namely CSRF-checker) to the open-source penetration testing tool OWASP ZAP. With the help of CSRFchecker, we tested 132 additional web sites (again from the Alexa global top 1500) and identified 95 vulnerable ones (i.e. 72%). Our findings include serious vulnerabilities among the web sites of Microsoft, Google, eBay etc. Finally, we responsibly disclosed our findings to the affected vendors.
Citation Keysudhodanan_large-scale_2017