Overview of methods for protecting Web-applications from CSRF vulnerabilities (Cross-Site Request Forgery)
DOI:
https://doi.org/10.18372/2073-4751.71.17000Keywords:
CSRF-attack, Cross-Site Request Forgery, data protection, Web-applicationAbstract
The article presents a study of methods of protecting Web-applications from CSRF vulnerabilities (Cross-Site Request Forgery). The conducted research showed that Web-developers do not pay enough attention to protection against attacks such as Cross-Site Request Forgery, the authors systematized and proposed a complex of methods of protection against CSRF-attacks, and formed recommendations for Web-application developers to ensure comprehensive protection against CSRF-attacks. The authors suggest using a number of methods, which include: using a CSRF-token in the request body and in the HTTP-header, transferring data in an alternative form without using MIME-types of HTML-forms, checking the Referer header, using the SameSite attribute and confirming sensitive operations by the user.
The proposed methods will allow developers to create secure Web-applications that are invulnerable to CSRF-attacks.
References
Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core [Електронний ресурс]. – Режим доступу: https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-6.0
G. Pellegrino, M. Johns, S. Koch, M. Backes and C. Rossow. Deemon: Detecting CSRF with dynamic analysis and property graphs, Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security CCS, 2017. – October 30 - November 03, 2017. – P. 1757-1771.
Likaj, Xhelal; Khodayari, Soheil; Pellegrino, Giancarlo. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks. In: 24th International Symposium on Research in Attacks, Intrusions and Defenses. – 2021. – P. 370-385.
Peguero, Ksenia; Cheng, Xiuzhen. CSRF protection in JavaScript frameworks and the security of JavaScript applications. High-Confidence Computing – 2021. – P. 1.2: 100035.
Compagna, Luca, et al. A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence. In: 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE. – 2021. – P. 49-59.
National Vulnerability Database: CSRF statistics. [Електронний ресурс]. – Режим доступу: https://nvd.nist.gov/vuln/search/statistics?form_type=Advanced&results_type=statistics&query=CSRF&search_type=all
OWASP Cross Site Request Forgery (CSRF) [Електронний ресурс]. – Режим доступу: https://owasp.org/www-community/attacks/csrf
Reviewing Code for Cross-Site Request Forgery Issues [Електронний ресурс]. – Режим доступу: https://owasp.org/www-project-code-review-guide/reviewing-code-for-csrf-issues
Documentation for Web developers (Referer) [Електронний ресурс]. – Режим доступу: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
Documentation for Web developers (Cookies) [Електронний ресурс]. – Режим доступу: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
Cross-Site Request Forgery Prevention Cheat Sheet [Електронний ресурс]. – Режим доступу: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#user-interaction-based-csrf-defense
Downloads
Published
How to Cite
Issue
Section
License
The scientific journal adheres to the principles of Open Access and provides free, immediate, and permanent access to all published materials without financial, technical, or legal barriers for readers.
All articles are published in Open Access under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.
Copyright
Authors who publish their works in the journal:
-
retain the copyright to their publications;
-
grant the journal the right of first publication of the article;
-
agree to the distribution of their materials under the CC BY 4.0 license;
-
have the right to reuse, archive, and distribute their works (including in institutional and subject repositories), provided that proper reference is made to the original publication in the journal.
