Model-Based Detection of CSRF

Abstract : Cross-Site Request Forgery (CSRF) is listed in the top ten list of the Open Web Application Security Project (OWASP) as one of the most critical threats to web security. A number of protection mechanisms against CSRF exist, but an attacker can often exploit the complexity of modern web applications to bypass these protections by abusing other flaws. We present a formal model-based technique for automatic detection of CSRF. We describe how a web application should be specified in order to facilitate the exposition of CSRF-related vulnerabilities. We use an intruder model, à la Dolev-Yao, and discuss how CSRF attacks may result from the interactions between the intruder and the cryptographic protocols underlying the web application. We demonstrate the effectiveness and usability of our technique with three real-world case studies.
Type de document :
Communication dans un congrès
Nora Cuppens-Boulahia; Frédéric Cuppens; Sushil Jajodia; Anas Abou El Kalam; Thierry Sans. 29th IFIP International Information Security Conference (SEC), Jun 2014, Marrakech, Morocco. Springer, IFIP Advances in Information and Communication Technology, AICT-428, pp.30-43, 2014, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-642-55415-5_3〉
Liste complète des métadonnées

Littérature citée [11 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01370351
Contributeur : Hal Ifip <>
Soumis le : jeudi 22 septembre 2016 - 14:17:14
Dernière modification le : jeudi 22 septembre 2016 - 15:17:24

Fichier

978-3-642-55415-5_3_Chapter.pd...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Marco Rocchetto, Martín Ochoa, Mohammad Torabi Dashti. Model-Based Detection of CSRF. Nora Cuppens-Boulahia; Frédéric Cuppens; Sushil Jajodia; Anas Abou El Kalam; Thierry Sans. 29th IFIP International Information Security Conference (SEC), Jun 2014, Marrakech, Morocco. Springer, IFIP Advances in Information and Communication Technology, AICT-428, pp.30-43, 2014, ICT Systems Security and Privacy Protection. 〈10.1007/978-3-642-55415-5_3〉. 〈hal-01370351〉

Partager

Métriques

Consultations de la notice

76

Téléchargements de fichiers

105