Abstract
Cross-Site Request Forgery (CSRF) is listed in the top ten list of the Open Web Application Security Project (OWASP) as one of the most critical threats to web security. A number of protection mechanisms against CSRF exist, but an attacker can often exploit the complexity of modern web applications to bypass these protections by abusing other flaws. We present a formal model-based technique for automatic detection of CSRF. We describe how a web application should be specified in order to facilitate the exposition of CSRF-related vulnerabilities. We use an intruder model, à la Dolev-Yao, and discuss how CSRF attacks may result from the interactions between the intruder and the cryptographic protocols underlying the web application. We demonstrate the effectiveness and usability of our technique with three real-world case studies.
Chapter PDF
Similar content being viewed by others
References
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a Formal Foundation of Web Security. In: 2010 23rd IEEE Computer Security Foundations Symposium (CSF), pp. 290–304 (2010)
Armando, A., et al.: The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012), http://dx.doi.org/10.1007/978-3-642-28756-5_19
Büchler, M., Oudinet, J., Pretschner, A.: SPaCiTE – Web Application Testing Engine. In: 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation (ICST), pp. 858–859 (2012)
Christensen, E., Curbera, F., Meredith, G., Weerawarana, S., et al.: Web Services Description Language (WSDL) 1.1 (2001)
Dias Neto, A.C., Subramanyan, R., Vieira, M., Travassos, G.H.: A Survey on Model-based Testing Approaches: A Systematic Review. In: WEASELTech 2007, pp. 31–36. ACM (2007)
Dolev, D., Yao, A.: On the Security of Public-Key Protocols. IEEE Transactions on Information Theory 2(29) (1983)
Doupé, A., Cova, M., Vigna, G.: Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)
Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT Press (2012)
OASIS. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 (2005), http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
OWASP. OWASP Cross Site Request Forgery (2013), https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Schemers, R., Allbery, R.: WebAuth v3 technical specification (2009), http://webauth.stanford.edu/protocol.html
Thornburgh, T.: Social Engineering: The “Dark Art”. In: Proceedings of the 1st Annual Conference on Information Security Curriculum Development, InfoSecCD 2004, pp. 133–135. ACM, New York (2004)
Tidwell, T., Larson, R., Fitch, K., Hale, J.: Modeling Internet Attacks. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and security, vol. 59 (2001)
von Oheimb, D., Mödersheim, S.: ASLan++ — A formal security specification language for distributed systems. In: Aichernig, B.K., de Boer, F.S., Bonsangue, M.M. (eds.) FMCO 2010. LNCS, vol. 6957, pp. 1–22. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Rocchetto, M., Ochoa, M., Torabi Dashti, M. (2014). Model-Based Detection of CSRF. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds) ICT Systems Security and Privacy Protection. SEC 2014. IFIP Advances in Information and Communication Technology, vol 428. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55415-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-55415-5_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55414-8
Online ISBN: 978-3-642-55415-5
eBook Packages: Computer ScienceComputer Science (R0)