research-article

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs

Authors:

Giancarlo Pellegrino,

Martin Johns,

Simon Koch,

Michael Backes,

Christian RossowAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 1757 - 1771

https://doi.org/10.1145/3133956.3133959

Published: 30 October 2017 Publication History

Get Access

Abstract

Cross-Site Request Forgery (CSRF) vulnerabilities are a severe class of web vulnerabilities that have received only marginal attention from the research and security testing communities. While much effort has been spent on countermeasures and detection of XSS and SQLi, to date, the detection of CSRF vulnerabilities is still performed predominantly manually.

In this paper, we present Deemon, to the best of our knowledge the first automated security testing framework to discover CSRF vulnerabilities. Our approach is based on a new modeling paradigm which captures multiple aspects of web applications, including execution traces, data flows, and architecture tiers in a unified, comprehensive property graph. We present the paradigm and show how a concrete model can be built automatically using dynamic traces.Then, using graph traversals, we mine for potentially vulnerable operations. Using the information captured in the model, our approach then automatically creates and conducts security tests, to practically validate the found CSRF issues. We evaluate the effectiveness of Deemon with 10 popular open source web applications. Our experiments uncovered 14 previously unknown CSRF vulnerabilities that can be exploited, for instance, to take over user accounts or entire websites.

Supplemental Material

MP4 File

Download
2466.08 MB

References

[1]

David Anderson and Mark Hills 2017. Query Construction Patterns in PHP. In IEEE 24th International Conference on Software Analysis, Evolution and Reengineering, SANER 2017, Klagenfurt, Austria, February 20-24, 2017. 452--456. https://doi.org/10.1109/SANER.2017.7884652

Crossref

Google Scholar

[2]

Marc Andreessen. 1993. proposed new tag: IMG. [Posting to the www-talk mailing list], http://1997.webhistory.org/www.lists/www-talk.1993q1/0182.html. (February 1993).

Google Scholar

[3]

Michael Backes, Konrad Rieck, Malte Skoruppa, Ben Stock, and Fabian Yamaguchi 2017. Efficient and Flexible Discovery of PHP Application 2nd European Symposium on Security & Privacy (EuroS&P 2017) (to appear).

Google Scholar

[4]

Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, and Jin Song Dong. 2013. AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013.

Google Scholar

[5]

A. Barth 2011. The Web Origin Concept. RFC 6454 (Proposed Standard). (Dec. 2011). http://www.ietf.org/rfc/rfc6454.txt

Google Scholar

[6]

Adam Barth, Collin Jackson, and John C. Mitchell. 2008. Robust Defenses for Cross-site Request Forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08). ACM, New York, NY, USA, 75--88. https://doi.org/10.1145/1455770.1455782

Digital Library

Google Scholar

[7]

Jason Bau, Elie Bursztein, Divij Gupta, and John Mitchell 2010. State of the Art: Automated Black-Box Web Application Vulnerability Testing 2010 IEEE Symposium on Security and Privacy. 332--345. 1109/SP.2014.44

Google Scholar

[8]

William Zeller and Edward W. Felten 2008. Cross-Site Request Forgeries: Exploitation and Prevention. (2008). http://www.cs.utexas.edu/ shmat/courses/cs378/zeller.pdf

Google Scholar

[9]

Yuchen Zhou and David Evans 2014. SSOScan: Automated Testing of Web Applications for Single Sign-on Vulnerabilities Proceedings of the 23rd USENIX Conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, 495--510. http://dl.acm.org/citation.cfm?id=2671225.2671257

Google Scholar

Cited By

View all

Guo ZKang MVenkatakrishnan VGjomemo RCao YLuo BLiao XXu JKirda ELie D(2024)ReactAppScan: Mining React Application Vulnerabilities via Component GraphProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670331(585-599)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670331
Zhang ZHou QYing LDiao WGu YLi RGuo SDuan HLuo BLiao XXu JKirda ELie D(2024)MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-ProgramsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670294(525-539)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670294
Ferreira MMonteiro MBrito TCoimbra MSantos NJia LSantos J(2024)Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency GraphsProceedings of the ACM on Programming Languages10.1145/36563948:PLDI(417-441)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656394
Show More Cited By

Index Terms

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs
1. Security and privacy
  1. Software and application security
    1. Web application security

Recommendations

Robust defenses for cross-site request forgery
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Cross-Site Request Forgery (CSRF) is a widely exploited web site vulnerability. In this paper, we present a new variation on CSRF attacks, login CSRF, in which the attacker forges a cross-site request to the login form, logging the victim into the ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security

A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Bundesministerium für Bildung und Forschung
Bundesministerium für Bildung und Forschung - BMBF

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

40
Total Citations
View Citations
717
Total Downloads

Downloads (Last 12 months)67
Downloads (Last 6 weeks)7

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Guo ZKang MVenkatakrishnan VGjomemo RCao YLuo BLiao XXu JKirda ELie D(2024)ReactAppScan: Mining React Application Vulnerabilities via Component GraphProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670331(585-599)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670331
Zhang ZHou QYing LDiao WGu YLi RGuo SDuan HLuo BLiao XXu JKirda ELie D(2024)MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-ProgramsProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670294(525-539)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670294
Ferreira MMonteiro MBrito TCoimbra MSantos NJia LSantos J(2024)Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency GraphsProceedings of the ACM on Programming Languages10.1145/36563948:PLDI(417-441)Online publication date: 20-Jun-2024
https://dl.acm.org/doi/10.1145/3656394
Shi YZhang YBai TZhang LTan XYang MChua TNgo CKa-Wei Lee RKumar RLauw H(2024)RecurScan: Detecting Recurring Vulnerabilities in PHP Web ApplicationsProceedings of the ACM Web Conference 202410.1145/3589334.3645530(1746-1755)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645530
Fu CLi QXu K(2024)Flow Interaction Graph Analysis: Unknown Encrypted Malicious Traffic DetectionIEEE/ACM Transactions on Networking10.1109/TNET.2024.337085132:4(2972-2987)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3370851
Hantke FRoth SMrowczynski RUtz CStock B(2024)Where Are the Red Lines? Towards Ethical Server-Side Scans in Security and Privacy Research2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00104(4405-4423)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00104
Khodayari SBarber TPellegrino G(2024)The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00098(166-184)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00098
Ramadan MOsama BZaher MMansour HEl Sersi W(2024)Enhancing Web Security: A Comparative Analysis of Machine Learning Models for CSRF Detection2024 Intelligent Methods, Systems, and Applications (IMSA)10.1109/IMSA61967.2024.10652629(18-25)Online publication date: 13-Jul-2024
https://doi.org/10.1109/IMSA61967.2024.10652629
M.E VBothinath BKumar KKavinpirasanth V(2024)Detect Potentially Risky Websites using Hidden Markov Model2024 International Conference on Inventive Computation Technologies (ICICT)10.1109/ICICT60155.2024.10544876(1120-1123)Online publication date: 24-Apr-2024
https://doi.org/10.1109/ICICT60155.2024.10544876
CHEN YPAN ZCHEN YLI Y(2023)DISOV: Discovering Second-Order Vulnerabilities Based on Web Application Property GraphIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2022EAP1045E106.A:2(133-145)Online publication date: 1-Feb-2023
https://doi.org/10.1587/transfun.2022EAP1045
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Robust defenses for cross-site request forgery

Security vulnerabilities and mitigation techniques of web applications

Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection