(2017) Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs.
|
Text
csrf_ccs2017.pdf - Accepted Version Download (2MB) | Preview |
Abstract
Cross-Site Request Forgery (CSRF) vulnerabilities are a severe class of web vulnerabilities that have received only marginal attention from the research and security testing communities. While most of the effort has been spent on countermeasures and detection of XSS and SQLi, to date, the detection of CSRF vulnerabilities is still performed predominantly manually. In this paper, we present Deemon, to the best of our knowledge, the first automated security testing framework to discover CSRF vulnerabilities. Our approach is based on a new modeling paradigm which captures multiple aspects of web applications, including execution traces, data flows, and architecture tiers in a unified, comprehensive property graph. We present the paradigm and show how a concrete model can be built automatically using dynamic traces. Then, using graph traversals, we mine for potentially vulnerable operations. Using the information captured in the model, our approach then automatically creates and conducts security tests, to practically validate the found CSRF issues. We evaluate the effectiveness of Deemon with 10 popular open source web applications. Our experiments uncovered 14 previously unknown CSRF vulnerabilities that can be exploited, for instance, to take over user accounts or entire websites.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Uncontrolled Keywords: | cispa, cispa:group:infsec |
| Divisions: | Michael Backes (InfSec) Christian Rossow (System Security Group, SysSec) |
| Conference: | CCS ACM Conference on Computer and Communications Security |
| Depositing User: | Sebastian Weisgerber |
| Date Deposited: | 24 Oct 2017 13:31 |
| Last Modified: | 18 Jul 2019 12:12 |
| Primary Research Area: | NRA5: Empirical & Behavioral Security |
| URI: | https://publications.cispa.saarland/id/eprint/1151 |
Actions
Actions (login required)
 |
View Item |