Model-Based Detection of CSRF

  • Marco Rocchetto
  • Martín Ochoa
  • Mohammad Torabi Dashti
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 428)


Cross-Site Request Forgery (CSRF) is listed in the top ten list of the Open Web Application Security Project (OWASP) as one of the most critical threats to web security. A number of protection mechanisms against CSRF exist, but an attacker can often exploit the complexity of modern web applications to bypass these protections by abusing other flaws. We present a formal model-based technique for automatic detection of CSRF. We describe how a web application should be specified in order to facilitate the exposition of CSRF-related vulnerabilities. We use an intruder model, à la Dolev-Yao, and discuss how CSRF attacks may result from the interactions between the intruder and the cryptographic protocols underlying the web application. We demonstrate the effectiveness and usability of our technique with three real-world case studies.


  1. 1.
    Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a Formal Foundation of Web Security. In: 2010 23rd IEEE Computer Security Foundations Symposium (CSF), pp. 290–304 (2010)Google Scholar
  2. 2.
    Armando, A., et al.: The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012), CrossRefGoogle Scholar
  3. 3.
    Büchler, M., Oudinet, J., Pretschner, A.: SPaCiTE – Web Application Testing Engine. In: 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation (ICST), pp. 858–859 (2012)Google Scholar
  4. 4.
    Christensen, E., Curbera, F., Meredith, G., Weerawarana, S., et al.: Web Services Description Language (WSDL) 1.1 (2001)Google Scholar
  5. 5.
    Dias Neto, A.C., Subramanyan, R., Vieira, M., Travassos, G.H.: A Survey on Model-based Testing Approaches: A Systematic Review. In: WEASELTech 2007, pp. 31–36. ACM (2007)Google Scholar
  6. 6.
    Dolev, D., Yao, A.: On the Security of Public-Key Protocols. IEEE Transactions on Information Theory 2(29) (1983)Google Scholar
  7. 7.
    Doupé, A., Cova, M., Vigna, G.: Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  8. 8.
    Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT Press (2012)Google Scholar
  9. 9.
    OASIS. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 (2005),
  10. 10.
    OWASP. OWASP Cross Site Request Forgery (2013), Scholar
  11. 11.
    Schemers, R., Allbery, R.: WebAuth v3 technical specification (2009),
  12. 12.
    Thornburgh, T.: Social Engineering: The “Dark Art”. In: Proceedings of the 1st Annual Conference on Information Security Curriculum Development, InfoSecCD 2004, pp. 133–135. ACM, New York (2004)CrossRefGoogle Scholar
  13. 13.
    Tidwell, T., Larson, R., Fitch, K., Hale, J.: Modeling Internet Attacks. In: Proceedings of the 2001 IEEE Workshop on Information Assurance and security, vol. 59 (2001)Google Scholar
  14. 14.
    von Oheimb, D., Mödersheim, S.: ASLan++ — A formal security specification language for distributed systems. In: Aichernig, B.K., de Boer, F.S., Bonsangue, M.M. (eds.) FMCO 2010. LNCS, vol. 6957, pp. 1–22. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Marco Rocchetto
    • 1
  • Martín Ochoa
    • 2
  • Mohammad Torabi Dashti
    • 3
  1. 1.Università di VeronaItaly
  2. 2.Technische Universität MünchenGermany
  3. 3.ETH ZürichSwitzerland

Personalised recommendations