Abstract
Advancements in web applications and on-line services continue to stimulate business growth and other applications across the globe. Alongside these developments are the increasing cyber security risks and vulnerabilities, inevitably entailing mitigations. Web application vulnerabilities are security holes, which attackers may attempt to exploit, hence potentially causing serious damage to business, such as stealing sensitive data and compromising business resources. Since web applications are now widely used, critical business environments such as internet banking, communication of sensitive data and online shopping, require robust protective measures against a wide range of vulnerabilities. This work explores remediation methods – HTTP header verification, tokenisation and challenge-response authentication of vulnerabilities against login CSRF attacks. Experiments comprising of nine test cases with the three mitigation methods and three vulnerabilities are conducted to identify whether exploitation of vulnerabilities was able to bypass a mitigation method and how the mitigation behaved in web applications of virtual environments. Using techniques and specific scripts of simulated web applications, three mitigation methods are mapped to the exploitation of the three vulnerabilities in different settings in search of an optimal solution. Results indicate that the HTTP header verification was not successful in protecting users from clickjacking exploitation, while it was successful in protecting against XSS and CSRF attacks. Further, exploitation of the three vulnerabilities bypassed the tokenisation mitigation and XSS attacks were prevented by challenge-response authentication, although exploitation of clickjacking and CSRF defeated the mitigation. The significance of these results lies in the fact that different methods are effective or ineffective in different conditions and therefore no single solution can be considered as most appropriate for web applications. The study concludes that best practices can be sought through empirical and experimental studies, via which observation and analysis of behaviours of different solutions under different scenarios of attacks are conducted. Such experiments, designed to bypass mitigations, provide insights into robust and appropriate implementation approaches and, in the era of Artificial Intelligence and Big Data, they should be routinely and automatically conducted.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abubaker H, Salah K, Al-Muhairi H, Bentiba A (2015) Cloud-based Arabic reCAPTCHA service: design and architecture. In: 2015 IEEE/ACS 12th international conference of computer systems and applications (AICCSA), pp 1–6. https://doi.org/10.1109/AICCSA.2015.7507189
Acunetix. (2012). Cross-site Scripting (XSS). Acunetix. Retrieved from: https://www.acunetix.com/websitesecurity/cross-site-scripting/
Acunetix (2014) CSRF and XSS – brothers in arms. Acunetix. Retrieved from https://www.acunetix.com/blog/articles/csrf-xss-brothers-arms/
Alvarez E, Correa B, Arango I (2016) An analysis of XSS, CSRF and SQL injection in colombian software and web site development. In: 2016 8th Euro American conference on telematics and information systems (EATIS), pp 1–5. https://doi.org/10.1109/EATIS.2016.7520140
Baojiang C, Baolian L, Tingting H (2014) Reverse analysis method of static XSS defect detection technique based on database query language. In: 2014 ninth international conference on P2P, parallel, grid, cloud and internet computing (3PGCIC), pp 487–491. https://doi.org/10.1109/3PGCIC.2014.99
Barth A, Jackson C, Mitchell J (2008) Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM conference on computer and communications security. https://doi.org/10.1145/1455770.1455782
Bin Liu BM, Baas BM (2013) Parallel AES encryption engines for many-core processor arrays. IEEE Trans Comput 62(3):536–547. https://doi.org/10.1109/TC.2011.251
Calzavara S, Rabitti A, Bugliesi M (2016) Content security problems?: evaluating the effectiveness of content security policy in the wild. In: Proceedings of the ACM conference on computer and communications security, pp 1365–1375. https://doi.org/10.1145/2976749.2978338
Czeskis A, Moshchuk A, Kohno T, Wang HJ (2013) Lightweight server support for browser-based CSRF protection. In: Proceedings of the 22nd international conference on world wide web, pp 273–284. https://doi.org/10.1145/1455770.1455782
Dayal AM, Ambedkar N, Raw R (2016) A comprehensive inspection of cross site scripting attack. In: 2016 international conference on computing, communication and automation (ICCCA), pp 497–502. https://doi.org/10.1109/CCAA.2016.7813770
Detectify AB (2017) Login CSRF. Detectify AB. Retrieved from https://support.detectify.com/customer/en/portal/articles/1969819-login-csrf
Ding C (2010) Login cross-site request forgery defence: technical report. Retrieved from http://students.ecs.soton.ac.uk/cd8e10/paper/INFO6003_Technical_Report_Login_Cross_Site_ Request_Forgery_Defence_Chaohai_Ding.pdf
Dorneanu V (2016) Some words on CSRF and cookies. Retrieved from http://blog.dornea.nu/2016/01/26/some-words-on-csrf-and-cookies/
Farah T, Shojol M, Hassan M, Alam D (2016) Assessment of vulnerabilities of web applications of Bangladesh: a case study of XSS & CSRF. In: 2016 sixth international conference on digital information and communication technology and its applications (DICTAP), pp 74–78. https://doi.org/10.1109/DICTAP.2016.7544004
Ferry EO, Raw J, Curran K (2015) Security evaluation of the OAuth 2.0 framework. Inf Comput Secur 23(1):73–101. Retrieved from https://search-proquest-com.lcproxy.shu.ac.uk/docview/1786146054/fulltext/94C0FC45FC024D1APQ/1
Hothersall-Thomas C, Maffeis S, Novakovic C (2015) BrowserAudit: automated testing of browser security features. In: Proceedings of the 2015 international symposium on software testing and analysis, pp 37–47. https://doi.org/10.1145/2771783.2771789
Imperva (2018) Cross site request forgery (CSRF) attack. Imperva. Retrieved from https://www.incapsula.com/web-application-security/csrf-cross-site-request-forgery.html
Jain J (2015) Clickjacking, Cursorjacking & Filejacking. Retrieved from https://resources.infosecinstitute.com/bypassing-same-origin-policy-part-3-clickjacking-cursorjacking-filejacking/
Jo H, Yoon J (2015) A new countermeasure against brute-force attacks that use high performance computers for big data analysis. Int J Distrib Sens Netw 11(6):1–7. https://doi.org/10.1155/2015/406915
Karthika S, Devaki P (2014) An efficient user authentication using captcha and graphical passwords – a survey. Int J Sci Res (IJSR) 3(11):2319–7064. Retrieved from https://pdfs.semanticscholar.org/da60/282b6be853f01082c23734533e4c96aff5d5.pdf
Kavitha D, Chandrasekaran S, Rani S (2016) HDTCV: hybrid detection technique for clickjacking vulnerability. In: Dash S, Bhaskar M, Panigrahi B, Das S (eds) Artificial intelligence and evolutionary computations in engineering systems, Advances in intelligent systems and computing, vol 394. Springer, Cham
Krapf L, Knobloch G, Antipa D, Leonardo C, Sanso A (2017) U.S. patent no. 9,774,622. U.S. Patent and Trademark Office, Washington, DC
Manaswini N, Sahoo P (2016) CSRF attacks on web applications. Int J Adv Comput Tech Appl (IJACTA) 4(1):194–197. Retrieved from http://www.ijacta.com/index.php/ojs/article/view/51/41
Miessler D (2008) The difference between CSRF and clickjacking. Retrieved from https://danielmiessler.com/blog/the-difference-between-csrf-and-clickjacking/
Moradi H, Moghaddam H (2015) Strategies and scenarios of CSRF attacks against the CAPTCHA forms. J Adv Comput Sci Technol 4(1):15–22. https://doi.org/10.14419/jacst.v4i1.3935
Mozilla (2018) Using XMLHttpRequest – web APIs|MDN. Mozilla. Retrieved from https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Using_XMLHttpRequest
Nagpal B, Chauhan N, Singh N (2014) Cross-site request forgery: vulnerabilities and defenses. I-Manager’s J Inf Technol 3(2):13–21. https://doi.org/10.26634/jit.3.2.2778
Nagpal B, Chauhan N, Singh N (2016) Additional authentication technique: an efficient approach to prevent cross-site request forgery attack. I-Manager’s J Inf Technol 5(2):14–18
OWASP (2016) Testing for clickjacking (OTG-CLIENT-009). OWASP. Retrieved from https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009
OWASP (2018a) Cross-site request forgery (CSRF) prevention cheat sheet. OWASP. Retrieved from https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
OWASP (2018b) Cross-site scripting (XSS). OWASP. Retrieved from https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Pellegrino G, Johns M, Koch S, Backes M, Rossow C (2017) Deemon: detecting CSRF with dynamic analysis and property graphs. Retrieved from https://arxiv.org/abs/1708.08786
Sentamilselvan K, Lakshmana S, Ramkumar N (2014) Cross site request forgery: preventive measures. Int J Comput Appl 106(11):20–25. Retrieved from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.800.3853&rep=rep1&type=pdf
Shahriar H, Haddad H, Devendran V (2015) Request and response analysis framework for mitigating clickjacking attacks. Int J Secur Softw Eng (IJSSE) 6(3):1–25. https://doi.org/10.4018/IJSSE.2015070101
Stamm S, Sterne B, Markham G (2010) Reining in the web with content security policy. In: Proceedings of the 19th international conference on world wide web, pp 921–930. https://doi.org/10.1145/1772690.1772784
Sudhodanan A, Carbone R, Compagna L, Dolgin N, Armando A, Morelli U (2017) Large-scale analysis & detection of authentication cross-site request forgeries. In: 2017 IEEE European symposium on security and privacy (EuroS&P), pp 350–365. https://doi.org/10.1109/EuroSP.2017.45
Takamatsu Y, Kono K (2014) Clickjuggler: checking for incomplete defenses against clickjacking. Privacy. In: 2014 twelfth annual international conference on security and trust (PST), pp 224–231. https://doi.org/10.1109/PST.2014.6890943
Vasilomanolakis E, Mühlhäuser M (2019) Detection and mitigation of monitor identification attacks in collaborative intrusion detection systems. Int J Netw Manag 29(2):1099–1190. ISSN: 1055-7148
Vrindamol P, Neena VV (2015) Detection and prevention of clickjacking and cross site request forgery. Int J Adv Res Sci Eng 4(Special Issue 01):55–64. Retrieved from https://pdfs.semanticscholar.org/eaab/9e476edeeeea0290875ceeb51c19e9572f6c.pdf
Yadav P, Parekh C (2017) A report on CSRF security challenges & prevention techniques. In: 2017 international conference on innovations in information, embedded and communication systems (ICIIECS), pp 1–4. https://doi.org/10.1109/ICIIECS.2017.8275852
Yusof I, Pathan A (2014) Preventing persistent Cross-Site Scripting (XSS) attack by applying pattern filtering approach. In: The 5th international conference on Information and Communication Technology for The Muslim World (ICT4M), pp 1–6. https://doi.org/10.1109/ICT4M.2014.7020628
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Shibuya, Y., Mwitondi, K., Zargari, S. (2020). Experimental Analyses in Search of Effective Mitigation for Login Cross-Site Request Forgery. In: Jahankhani, H., Kendzierskyj, S., Chelvachandran, N., Ibarra, J. (eds) Cyber Defence in the Age of AI, Smart Societies and Augmented Humanity. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-030-35746-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-35746-7_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35745-0
Online ISBN: 978-3-030-35746-7
eBook Packages: Computer ScienceComputer Science (R0)