Skip to main content
SpringerLink
Log in

Experimental Analyses in Search of Effective Mitigation for Login Cross-Site Request Forgery

  • Chapter
  • First Online:
Cyber Defence in the Age of AI, Smart Societies and Augmented Humanity

Abstract

Advancements in web applications and on-line services continue to stimulate business growth and other applications across the globe. Alongside these developments are the increasing cyber security risks and vulnerabilities, inevitably entailing mitigations. Web application vulnerabilities are security holes, which attackers may attempt to exploit, hence potentially causing serious damage to business, such as stealing sensitive data and compromising business resources. Since web applications are now widely used, critical business environments such as internet banking, communication of sensitive data and online shopping, require robust protective measures against a wide range of vulnerabilities. This work explores remediation methods – HTTP header verification, tokenisation and challenge-response authentication of vulnerabilities against login CSRF attacks. Experiments comprising of nine test cases with the three mitigation methods and three vulnerabilities are conducted to identify whether exploitation of vulnerabilities was able to bypass a mitigation method and how the mitigation behaved in web applications of virtual environments. Using techniques and specific scripts of simulated web applications, three mitigation methods are mapped to the exploitation of the three vulnerabilities in different settings in search of an optimal solution. Results indicate that the HTTP header verification was not successful in protecting users from clickjacking exploitation, while it was successful in protecting against XSS and CSRF attacks. Further, exploitation of the three vulnerabilities bypassed the tokenisation mitigation and XSS attacks were prevented by challenge-response authentication, although exploitation of clickjacking and CSRF defeated the mitigation. The significance of these results lies in the fact that different methods are effective or ineffective in different conditions and therefore no single solution can be considered as most appropriate for web applications. The study concludes that best practices can be sought through empirical and experimental studies, via which observation and analysis of behaviours of different solutions under different scenarios of attacks are conducted. Such experiments, designed to bypass mitigations, provide insights into robust and appropriate implementation approaches and, in the era of Artificial Intelligence and Big Data, they should be routinely and automatically conducted.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abubaker H, Salah K, Al-Muhairi H, Bentiba A (2015) Cloud-based Arabic reCAPTCHA service: design and architecture. In: 2015 IEEE/ACS 12th international conference of computer systems and applications (AICCSA), pp 1–6. https://doi.org/10.1109/AICCSA.2015.7507189

    Chapter  Google Scholar 

  2. Acunetix. (2012). Cross-site Scripting (XSS). Acunetix. Retrieved from: https://www.acunetix.com/websitesecurity/cross-site-scripting/

  3. Acunetix (2014) CSRF and XSS – brothers in arms. Acunetix. Retrieved from https://www.acunetix.com/blog/articles/csrf-xss-brothers-arms/

  4. Alvarez E, Correa B, Arango I (2016) An analysis of XSS, CSRF and SQL injection in colombian software and web site development. In: 2016 8th Euro American conference on telematics and information systems (EATIS), pp 1–5. https://doi.org/10.1109/EATIS.2016.7520140

    Chapter  Google Scholar 

  5. Baojiang C, Baolian L, Tingting H (2014) Reverse analysis method of static XSS defect detection technique based on database query language. In: 2014 ninth international conference on P2P, parallel, grid, cloud and internet computing (3PGCIC), pp 487–491. https://doi.org/10.1109/3PGCIC.2014.99

    Chapter  Google Scholar 

  6. Barth A, Jackson C, Mitchell J (2008) Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM conference on computer and communications security. https://doi.org/10.1145/1455770.1455782

    Chapter  Google Scholar 

  7. Bin Liu BM, Baas BM (2013) Parallel AES encryption engines for many-core processor arrays. IEEE Trans Comput 62(3):536–547. https://doi.org/10.1109/TC.2011.251

    Article  MathSciNet  MATH  Google Scholar 

  8. Calzavara S, Rabitti A, Bugliesi M (2016) Content security problems?: evaluating the effectiveness of content security policy in the wild. In: Proceedings of the ACM conference on computer and communications security, pp 1365–1375. https://doi.org/10.1145/2976749.2978338

    Chapter  Google Scholar 

  9. Czeskis A, Moshchuk A, Kohno T, Wang HJ (2013) Lightweight server support for browser-based CSRF protection. In: Proceedings of the 22nd international conference on world wide web, pp 273–284. https://doi.org/10.1145/1455770.1455782

    Chapter  Google Scholar 

  10. Dayal AM, Ambedkar N, Raw R (2016) A comprehensive inspection of cross site scripting attack. In: 2016 international conference on computing, communication and automation (ICCCA), pp 497–502. https://doi.org/10.1109/CCAA.2016.7813770

    Chapter  Google Scholar 

  11. Detectify AB (2017) Login CSRF. Detectify AB. Retrieved from https://support.detectify.com/customer/en/portal/articles/1969819-login-csrf

  12. Ding C (2010) Login cross-site request forgery defence: technical report. Retrieved from http://students.ecs.soton.ac.uk/cd8e10/paper/INFO6003_Technical_Report_Login_Cross_Site_ Request_Forgery_Defence_Chaohai_Ding.pdf

  13. Dorneanu V (2016) Some words on CSRF and cookies. Retrieved from http://blog.dornea.nu/2016/01/26/some-words-on-csrf-and-cookies/

  14. Farah T, Shojol M, Hassan M, Alam D (2016) Assessment of vulnerabilities of web applications of Bangladesh: a case study of XSS & CSRF. In: 2016 sixth international conference on digital information and communication technology and its applications (DICTAP), pp 74–78. https://doi.org/10.1109/DICTAP.2016.7544004

    Chapter  Google Scholar 

  15. Ferry EO, Raw J, Curran K (2015) Security evaluation of the OAuth 2.0 framework. Inf Comput Secur 23(1):73–101. Retrieved from https://search-proquest-com.lcproxy.shu.ac.uk/docview/1786146054/fulltext/94C0FC45FC024D1APQ/1

    Article  Google Scholar 

  16. Hothersall-Thomas C, Maffeis S, Novakovic C (2015) BrowserAudit: automated testing of browser security features. In: Proceedings of the 2015 international symposium on software testing and analysis, pp 37–47. https://doi.org/10.1145/2771783.2771789

    Chapter  Google Scholar 

  17. Imperva (2018) Cross site request forgery (CSRF) attack. Imperva. Retrieved from https://www.incapsula.com/web-application-security/csrf-cross-site-request-forgery.html

  18. Jain J (2015) Clickjacking, Cursorjacking & Filejacking. Retrieved from https://resources.infosecinstitute.com/bypassing-same-origin-policy-part-3-clickjacking-cursorjacking-filejacking/

  19. Jo H, Yoon J (2015) A new countermeasure against brute-force attacks that use high performance computers for big data analysis. Int J Distrib Sens Netw 11(6):1–7. https://doi.org/10.1155/2015/406915

    Article  Google Scholar 

  20. Karthika S, Devaki P (2014) An efficient user authentication using captcha and graphical passwords – a survey. Int J Sci Res (IJSR) 3(11):2319–7064. Retrieved from https://pdfs.semanticscholar.org/da60/282b6be853f01082c23734533e4c96aff5d5.pdf

    Google Scholar 

  21. Kavitha D, Chandrasekaran S, Rani S (2016) HDTCV: hybrid detection technique for clickjacking vulnerability. In: Dash S, Bhaskar M, Panigrahi B, Das S (eds) Artificial intelligence and evolutionary computations in engineering systems, Advances in intelligent systems and computing, vol 394. Springer, Cham

    Chapter  Google Scholar 

  22. Krapf L, Knobloch G, Antipa D, Leonardo C, Sanso A (2017) U.S. patent no. 9,774,622. U.S. Patent and Trademark Office, Washington, DC

    Google Scholar 

  23. Manaswini N, Sahoo P (2016) CSRF attacks on web applications. Int J Adv Comput Tech Appl (IJACTA) 4(1):194–197. Retrieved from http://www.ijacta.com/index.php/ojs/article/view/51/41

    Google Scholar 

  24. Miessler D (2008) The difference between CSRF and clickjacking. Retrieved from https://danielmiessler.com/blog/the-difference-between-csrf-and-clickjacking/

  25. Moradi H, Moghaddam H (2015) Strategies and scenarios of CSRF attacks against the CAPTCHA forms. J Adv Comput Sci Technol 4(1):15–22. https://doi.org/10.14419/jacst.v4i1.3935

    Article  Google Scholar 

  26. Mozilla (2018) Using XMLHttpRequest – web APIs|MDN. Mozilla. Retrieved from https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Using_XMLHttpRequest

  27. Nagpal B, Chauhan N, Singh N (2014) Cross-site request forgery: vulnerabilities and defenses. I-Manager’s J Inf Technol 3(2):13–21. https://doi.org/10.26634/jit.3.2.2778

    Article  Google Scholar 

  28. Nagpal B, Chauhan N, Singh N (2016) Additional authentication technique: an efficient approach to prevent cross-site request forgery attack. I-Manager’s J Inf Technol 5(2):14–18

    Google Scholar 

  29. OWASP (2016) Testing for clickjacking (OTG-CLIENT-009). OWASP. Retrieved from https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009

  30. OWASP (2018a) Cross-site request forgery (CSRF) prevention cheat sheet. OWASP. Retrieved from https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

  31. OWASP (2018b) Cross-site scripting (XSS). OWASP. Retrieved from https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

  32. Pellegrino G, Johns M, Koch S, Backes M, Rossow C (2017) Deemon: detecting CSRF with dynamic analysis and property graphs. Retrieved from https://arxiv.org/abs/1708.08786

  33. Sentamilselvan K, Lakshmana S, Ramkumar N (2014) Cross site request forgery: preventive measures. Int J Comput Appl 106(11):20–25. Retrieved from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.800.3853&rep=rep1&type=pdf

    Google Scholar 

  34. Shahriar H, Haddad H, Devendran V (2015) Request and response analysis framework for mitigating clickjacking attacks. Int J Secur Softw Eng (IJSSE) 6(3):1–25. https://doi.org/10.4018/IJSSE.2015070101

    Article  Google Scholar 

  35. Stamm S, Sterne B, Markham G (2010) Reining in the web with content security policy. In: Proceedings of the 19th international conference on world wide web, pp 921–930. https://doi.org/10.1145/1772690.1772784

    Chapter  Google Scholar 

  36. Sudhodanan A, Carbone R, Compagna L, Dolgin N, Armando A, Morelli U (2017) Large-scale analysis & detection of authentication cross-site request forgeries. In: 2017 IEEE European symposium on security and privacy (EuroS&P), pp 350–365. https://doi.org/10.1109/EuroSP.2017.45

    Chapter  Google Scholar 

  37. Takamatsu Y, Kono K (2014) Clickjuggler: checking for incomplete defenses against clickjacking. Privacy. In: 2014 twelfth annual international conference on security and trust (PST), pp 224–231. https://doi.org/10.1109/PST.2014.6890943

    Chapter  Google Scholar 

  38. Vasilomanolakis E, Mühlhäuser M (2019) Detection and mitigation of monitor identification attacks in collaborative intrusion detection systems. Int J Netw Manag 29(2):1099–1190. ISSN: 1055-7148

    Article  Google Scholar 

  39. Vrindamol P, Neena VV (2015) Detection and prevention of clickjacking and cross site request forgery. Int J Adv Res Sci Eng 4(Special Issue 01):55–64. Retrieved from https://pdfs.semanticscholar.org/eaab/9e476edeeeea0290875ceeb51c19e9572f6c.pdf

    Google Scholar 

  40. Yadav P, Parekh C (2017) A report on CSRF security challenges & prevention techniques. In: 2017 international conference on innovations in information, embedded and communication systems (ICIIECS), pp 1–4. https://doi.org/10.1109/ICIIECS.2017.8275852

    Chapter  Google Scholar 

  41. Yusof I, Pathan A (2014) Preventing persistent Cross-Site Scripting (XSS) attack by applying pattern filtering approach. In: The 5th international conference on Information and Communication Technology for The Muslim World (ICT4M), pp 1–6. https://doi.org/10.1109/ICT4M.2014.7020628

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Cybereason, Tokyo, Japan

    Y. Shibuya

  2. Faculty of Science, Technology and Arts, Sheffield Hallam University, Sheffield, UK

    K. Mwitondi & S. Zargari

Authors
  1. Y. Shibuya
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. K. Mwitondi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. S. Zargari
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Y. Shibuya .

Editor information

Editors and Affiliations

  1. Northumbria University, London, UK

    Hamid Jahankhani

  2. Cyfortis, Worcester Park, Surrey, UK

    Stefan Kendzierskyj

  3. Open Innovation House, Saidot OY, ESPOO, Finland

    Nishan Chelvachandran

  4. Northumbria University, London, UK

    Jaime Ibarra

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Shibuya, Y., Mwitondi, K., Zargari, S. (2020). Experimental Analyses in Search of Effective Mitigation for Login Cross-Site Request Forgery. In: Jahankhani, H., Kendzierskyj, S., Chelvachandran, N., Ibarra, J. (eds) Cyber Defence in the Age of AI, Smart Societies and Augmented Humanity. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-35746-7_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-35746-7_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-35745-0

  • Online ISBN: 978-3-030-35746-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation