research-article

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs

Authors:

Giancarlo Pellegrino,

Martin Johns,

Simon Koch,

Michael Backes,

Christian RossowAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 1757 - 1771

https://doi.org/10.1145/3133956.3133959

Published: 30 October 2017 Publication History

Get Access

Abstract

Cross-Site Request Forgery (CSRF) vulnerabilities are a severe class of web vulnerabilities that have received only marginal attention from the research and security testing communities. While much effort has been spent on countermeasures and detection of XSS and SQLi, to date, the detection of CSRF vulnerabilities is still performed predominantly manually.

In this paper, we present Deemon, to the best of our knowledge the first automated security testing framework to discover CSRF vulnerabilities. Our approach is based on a new modeling paradigm which captures multiple aspects of web applications, including execution traces, data flows, and architecture tiers in a unified, comprehensive property graph. We present the paradigm and show how a concrete model can be built automatically using dynamic traces.Then, using graph traversals, we mine for potentially vulnerable operations. Using the information captured in the model, our approach then automatically creates and conducts security tests, to practically validate the found CSRF issues. We evaluate the effectiveness of Deemon with 10 popular open source web applications. Our experiments uncovered 14 previously unknown CSRF vulnerabilities that can be exploited, for instance, to take over user accounts or entire websites.

Supplemental Material

MP4 File

Download
2466.08 MB

References

[1]

David Anderson and Mark Hills 2017. Query Construction Patterns in PHP. In IEEE 24th International Conference on Software Analysis, Evolution and Reengineering, SANER 2017, Klagenfurt, Austria, February 20-24, 2017. 452--456. https://doi.org/10.1109/SANER.2017.7884652

Crossref

Google Scholar

[2]

Marc Andreessen. 1993. proposed new tag: IMG. [Posting to the www-talk mailing list], http://1997.webhistory.org/www.lists/www-talk.1993q1/0182.html. (February 1993).

Google Scholar

[3]

Michael Backes, Konrad Rieck, Malte Skoruppa, Ben Stock, and Fabian Yamaguchi 2017. Efficient and Flexible Discovery of PHP Application 2nd European Symposium on Security & Privacy (EuroS&P 2017) (to appear).

Google Scholar

[4]

Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, and Jin Song Dong. 2013. AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013.

Google Scholar

[5]

A. Barth 2011. The Web Origin Concept. RFC 6454 (Proposed Standard). (Dec. 2011). http://www.ietf.org/rfc/rfc6454.txt

Google Scholar

[6]

Adam Barth, Collin Jackson, and John C. Mitchell. 2008. Robust Defenses for Cross-site Request Forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08). ACM, New York, NY, USA, 75--88. https://doi.org/10.1145/1455770.1455782

Digital Library

Google Scholar

[7]

Jason Bau, Elie Bursztein, Divij Gupta, and John Mitchell 2010. State of the Art: Automated Black-Box Web Application Vulnerability Testing 2010 IEEE Symposium on Security and Privacy. 332--345. 1109/SP.2014.44

Google Scholar

[8]

William Zeller and Edward W. Felten 2008. Cross-Site Request Forgeries: Exploitation and Prevention. (2008). http://www.cs.utexas.edu/ shmat/courses/cs378/zeller.pdf

Google Scholar

[9]

Yuchen Zhou and David Evans 2014. SSOScan: Automated Testing of Web Applications for Single Sign-on Vulnerabilities Proceedings of the 23rd USENIX Conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, 495--510. http://dl.acm.org/citation.cfm?id=2671225.2671257

Google Scholar

Cited By

View all

Ferreira MMonteiro MBrito TCoimbra MSantos NJia LSantos J(2024)Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency GraphsProceedings of the ACM on Programming Languages10.1145/36563948:PLDI(417-441)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656394
Shi YZhang YBai TZhang LTan XYang MChua TNgo CKa-Wei Lee RKumar RLauw H(2024)RecurScan: Detecting Recurring Vulnerabilities in PHP Web ApplicationsProceedings of the ACM on Web Conference 202410.1145/3589334.3645530(1746-1755)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645530
M.E VBothinath BKumar KKavinpirasanth V(2024)Detect Potentially Risky Websites using Hidden Markov Model2024 International Conference on Inventive Computation Technologies (ICICT)10.1109/ICICT60155.2024.10544876(1120-1123)Online publication date: 24-Apr-2024
https://doi.org/10.1109/ICICT60155.2024.10544876
Show More Cited By

Index Terms

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

Robust defenses for cross-site request forgery
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security

A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...

Comments

Information & Contributors

Information

Published In

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Bundesministerium für Bildung und Forschung
Bundesministerium für Bildung und Forschung - BMBF

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
694
Total Downloads

Downloads (Last 12 months)68
Downloads (Last 6 weeks)11

Reflects downloads up to 28 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Ferreira MMonteiro MBrito TCoimbra MSantos NJia LSantos J(2024)Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency GraphsProceedings of the ACM on Programming Languages10.1145/36563948:PLDI(417-441)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656394
Shi YZhang YBai TZhang LTan XYang MChua TNgo CKa-Wei Lee RKumar RLauw H(2024)RecurScan: Detecting Recurring Vulnerabilities in PHP Web ApplicationsProceedings of the ACM on Web Conference 202410.1145/3589334.3645530(1746-1755)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645530
M.E VBothinath BKumar KKavinpirasanth V(2024)Detect Potentially Risky Websites using Hidden Markov Model2024 International Conference on Inventive Computation Technologies (ICICT)10.1109/ICICT60155.2024.10544876(1120-1123)Online publication date: 24-Apr-2024
https://doi.org/10.1109/ICICT60155.2024.10544876
CHEN YPAN ZCHEN YLI Y(2023)DISOV: Discovering Second-Order Vulnerabilities Based on Web Application Property GraphIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2022EAP1045E106.A:2(133-145)Online publication date: 1-Feb-2023
https://doi.org/10.1587/transfun.2022EAP1045
Trampert LStock BRoth S(2023)Honey, I Cached our Security Tokens Re-usage of Security Tokens in the WildProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3607199.3607223(714-726)Online publication date: 16-Oct-2023
https://dl.acm.org/doi/10.1145/3607199.3607223
Yu JLi SZhu JCao YMeng WJensen CCremers CKirda E(2023)CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract InterpretationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616584(2441-2455)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616584
Brito TFerreira MMonteiro MLopes PBarros MSantos JSantos N(2023)Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js PackagesIEEE Transactions on Reliability10.1109/TR.2023.328630172:4(1324-1339)Online publication date: Dec-2023
https://doi.org/10.1109/TR.2023.3286301
Ferreira MBrito TSantos JSantos N(2023)RuleKeeper: GDPR-Aware Personal Data Compliance for Web Frameworks2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179395(2817-2834)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179395
Kang MXu YLi SGjomemo RHou JVenkatakrishnan VCao Y(2023)Scaling JavaScript Abstract Interpretation to Detect and Exploit Node.js Taint-style Vulnerability2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179352(1059-1076)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179352
Rao MKalyani BVathsalya BDhanunjay KNarayana A(2023)Cross-Site Request Forgery as an Example of Machine Learning for Web Vulnerability Detection2023 3rd International Conference on Smart Data Intelligence (ICSMDI)10.1109/ICSMDI57622.2023.00080(422-426)Online publication date: Mar-2023
https://doi.org/10.1109/ICSMDI57622.2023.00080
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Robust defenses for cross-site request forgery

Security vulnerabilities and mitigation techniques of web applications

Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection

Comments

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

Supplemental Material

References

Cited By

Index Terms

Recommendations

Robust defenses for cross-site request forgery

Security vulnerabilities and mitigation techniques of web applications

Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations