Visible to the public Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities

TitleMitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities
Publication TypeConference Paper
Year of Publication2019
AuthorsCalzavara, Stefano, Conti, Mauro, Focardi, Riccardo, Rabitti, Alvise, Tolomei, Gabriele
Conference Name2019 IEEE European Symposium on Security and Privacy (EuroS P)
KeywordsBlack Box Security, black-box detection, Browsers, Cross Site Request Forgery, cross-site request forgery, CSRF vulnerabilities, Forgery, HTTP requests, Internet, learning (artificial intelligence), machine learning, machine learning approach, machine learning solution, Manuals, Mitch approach, predictability, pubcrawl, Resiliency, Scalability, security, Security Heuristics, security of data, sensitive HTTP requests, supervised learning technique, supervised learning techniques, Task Analysis, Tools, web security

Cross-Site Request Forgery (CSRF) is one of the oldest and simplest attacks on the Web, yet it is still effective on many websites and it can lead to severe consequences, such as economic losses and account takeovers. Unfortunately, tools and techniques proposed so far to identify CSRF vulnerabilities either need manual reviewing by human experts or assume the availability of the source code of the web application. In this paper we present Mitch, the first machine learning solution for the black-box detection of CSRF vulnerabilities. At the core of Mitch there is an automated detector of sensitive HTTP requests, i.e., requests which require protection against CSRF for security reasons. We trained the detector using supervised learning techniques on a dataset of 5,828 HTTP requests collected on popular websites, which we make available to other security researchers. Our solution outperforms existing detection heuristics proposed in the literature, allowing us to identify 35 new CSRF vulnerabilities on 20 major websites and 3 previously undetected CSRF vulnerabilities on production software already analyzed using a state-of-the-art tool.

Citation Keycalzavara_mitch_2019