Design the Model of CSRF Attack Tree for Immunization the Web Application in Development Process

Authors

1 Master's student, Imam Hossein University, Tehran, Iran

2 Assistant Professor, Imam Hossein University, Tehran, Iran

Abstract

make security after production , the designer's neglect on attack tree and developer's, are of the important
challenges in web application development. One of the most common attacks on Web domain is CSRF which caused
the program to the user's trust. One of the most common attacks on Web domain is CSRF which caused from user's
trust on web application. In this paper the CSRF attack tree as a security solution in the web applications production
process without the need to interact with the end user is provided. In this context, with integration the derived
attributes from exploit_codes and experimental attributes , the CSRF attack tree is derived. With use the produced
tree , with 83% accuracy, we were able to identify the different routes that hackers use on CSRF attacks. Immunization
the detected attack vectors in this article, by designers and developers, will be resulted to produce secure web
applications against CSRF attacks.

Keywords


[1] A. PORE, “Providing Multi-Token Based Protection Against Cross Site Request Forgery Master Thesis,” the University of    Missouri-Columbia, 2012.
[2] OWASP, “OWASP Top 10 - The Ten Most Critical Web Application Security Risks,” OWASP, 2013.
[3] J. Grossman, “Whitehat Security Website,” White Hat Security, 2012.
[4] R. D. Kombade and B. Meshram, “Client Side CSRF Defensive Tool,” IJINS, vol. 1, 2012.
[5] P. D. Ryck, L. Desmet, W. Joosen, and F. Piessens, “Automatic and Precise Client-Side Protection against CSRF Attacks,” 2011.
[6] Z. Mao, N. Li, and I. Molloy, “Defeating Cross-Site  Request Forgery Attacks with Browser-Enforced       Authenticity Protection,” 2009.
[7] M. Johns and W. Justus, “RequestRodeo: Client Side Protection against Session Riding,” 2006.
[8] W. J. Philippe De Ryck, “CsFire: Transparent client-side mitigation of malicious cross-domain requests,” 2010.
[9] G. Maone, Noscript 2.0.9.9, 2011. [Online]. Available: http://noscript.net.
[10] J. Samuel, Requestpolicy 0.5.20, 2011. [Online].       Available: http://www.requestpolicy.com.
[11] J. Burns, “Cross site reference forgery: An introduction to a common web application weakness,” 2005.
[12] N. Jovanovic, E. Kirda, and C. Kruegel, “Preventing cross site request forgery attacks,” IEEE, pp. 1-10, 2006.
[13] R. Pelizzi and R. Sekar, “A Server and                     Browser-Transparent CSRF Defense for Web 2.0      Applications,” 2011.
[14] R. RAMISETTY, M. Radhesh, and P. R. Alwyn, “Preventing Image based Cross Site Request Forgery Attacks,” National Institute of Technology Karnataka, 2009.
[15] S. Son, “Prevent Cross-site Request Forgery: PCRF,” 2008.
[16] R. Pelizzi and R. Sekar, “A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications,” 2011.
[17] J. H. Espedalen, “Attack Trees Describing Security in Distributed Internet-Enabled Metrology,” Thesis Master, 2007.
[18] Wikipedia. [Online]. Available: en.wikipedia.org/wiki/Exploit_(Computer_security).
[19] P. L. William, “N-grams, Lang ID, and Entropy,” 2008.
[20] [Online]. Available: www.w3schools.com.
[21] J. C. Meloni ,Sams Teach Yourself HTML, CSS and Java Script، Indianapolis: SAMS.2011.
[22] R. Quinlan, “C4.5: Programs for Machine Learning,” 1993.
[23] Habib pour and R. Safari, "Comprehensive guide to use SPSS on survey researches (quantitative analysis) (In Persian)," Motafakkeran
Volume 3, Issue 1 - Serial Number 1
November 2020
Pages 41-52
  • Receive Date: 28 October 2014
  • Revise Date: 21 June 2023
  • Accept Date: 19 September 2018
  • Publish Date: 21 April 2015