
تعداد نشریات | 43 |
تعداد شمارهها | 1,685 |
تعداد مقالات | 13,846 |
تعداد مشاهده مقاله | 32,761,112 |
تعداد دریافت فایل اصل مقاله | 12,954,614 |
Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications | |||||||||||||||||||||||||||||||||||||
Journal of Computing and Security | |||||||||||||||||||||||||||||||||||||
مقاله 3، دوره 8، شماره 1، فروردین 2021، صفحه 19-32 اصل مقاله (2.71 M) | |||||||||||||||||||||||||||||||||||||
نوع مقاله: Research Article | |||||||||||||||||||||||||||||||||||||
شناسه دیجیتال (DOI): 10.22108/jcs.2021.127261.1064 | |||||||||||||||||||||||||||||||||||||
نویسندگان | |||||||||||||||||||||||||||||||||||||
Mohammad Ali Hadavi* ؛ Samira Sadeghi | |||||||||||||||||||||||||||||||||||||
Faculty of Electrical and Computer Engineering, Malek Ashtar University of Technology, Iran. | |||||||||||||||||||||||||||||||||||||
چکیده | |||||||||||||||||||||||||||||||||||||
Cross-Site Request Forgery (CSRF) is an attack in which an infected website causes a victim's browser to perform an unwanted operation on a trusted website. The main solution to tackle this attack is to use random tokens in requests, sent by the browser. Since such tokens cannot be guessed or rebuilt by the attacker, he is not able to forge the requests. The tokens can be specific to a request, a page, or a session. Existing methods for detecting CSRF vulnerabilities mainly rely on simulating an attack by manipulating a request, submitting it to the server, and analysis of the response to the forged request. This kind of test must be repeated for each request in a web application to identify whether the application is vulnerable. Moreover, it may lead to undesired changes to the application database by submitting fake requests. This paper presents a method to passively detect CSRF-resistant requests by analyzing the traffic to the target website. To this end, we formulate a set of rules to analyze the possible existence of anti-CSRF tokens. Traffic analysis based on the proposed rules outputs resistant requests due to the use of random tokens. Consequently, the requests without such tokens are deduced to be potentially vulnerable. The proposed method is implemented and evaluated by the traffic extracted from several websites. The results confirm that the method can effectively detect anti-CSRF tokens in requests and the more complete the website traffic, the more accurate the results. | |||||||||||||||||||||||||||||||||||||
کلیدواژهها | |||||||||||||||||||||||||||||||||||||
Web Security؛ Vulnerability Detection؛ Cross-Site Request Forgery (CSRF)؛ Anti-CSRF Token؛ Traffic Analysis | |||||||||||||||||||||||||||||||||||||
سایر فایل های مرتبط با مقاله
|
|||||||||||||||||||||||||||||||||||||
مراجع | |||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||
آمار تعداد مشاهده مقاله: 596 تعداد دریافت فایل اصل مقاله: 613 |