Proceedings of ISP RAS


The Study into Cross-Site Request Forgery Attacks within the Framework of Analysis of Software Vulnerabilities

Barabanov A.V. (NPO Echelon, Moscow, Russia)
Lavrov A.I. (NPO Echelon, Moscow, Russia)
Markov A.S. (Bauman MSTU, Moscow, Russia)
Polotnyanschikov I.A. (NPO Echelon, Moscow, Russia)
Tsirlov V.L. (Bauman MSTU, Moscow, Russia)

Abstract

Nowadays, web applications are one of the most popular types of target of evaluation within the framework of the information security certification. The relevance of the study of web applications vulnerabilities during information security certification is due to the fact that web technologies are actively used while producing modern information systems, including information systems critical from the information security point of view, and on the other hand carrying out basic attacks on such information systems do not require violators of high technical competence, since data on typical vulnerabilities and attacks, including the attacking tools are heavily represented in publicly available sources of information, and the information systems themselves are usually available from public communication networks. The paper presents the results of a study of the security of web applications that are target of evaluation within the framework of certification for information security requirements against cross-site requests forgery attacks. The results of systematization and generalization of information about the cross-site requests forgery attacks and security controls used by web application developers are presented. The results of experimental studies of 10 web applications that have passed certification tests against information security requirements are presented. The results of experimental studies have shown that most developers do not pay enough attention to protection from cross-site request forgery attack - 7 out of 10 web applications tested have been vulnerable to this type of attack. Based on the results of processing the results of experimental studies, the distribution of security controls used in web applications and identified vulnerabilities by programming languages were obtained. Recommendations regarding the protection of web applications against cross-site request forgery attack for developers planning to certify their software are formulated.

Keywords

information security; software security; analysis of vulnerabilities; web-application; CSRF-attack

Edition

Proceedings of the Institute for System Programming, vol. 29, issue 5, 2017, pp. 7-18.

ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).

DOI: 10.15514/ISPRAS-2017-29(5)-1

Full text of the paper in pdf Back to the contents of the volume