Cross-Site Request Forgery (CSRF) is one of the oldest and simplest attacks on the Web, yet it is still effective on many websites and it can lead to severe consequences, such as economic losses and account takeovers. Unfortunately, tools and techniques proposed so far to identify CSRF vulnerabilities either need manual reviewing by human experts or assume the availability of the source code of the web application. In this paper we present Mitch, the first machine learning solution for the black-box detection of CSRF vulnerabilities. At the core of Mitch there is an automated detector of sensitive HTTP requests, i.e., requests which require protection against CSRF for security reasons. We trained the detector using supervised learning techniques on a dataset of 5,828 HTTP requests collected on popular websites, which we make available to other security researchers. Our solution outperforms existing detection heuristics proposed in the literature, allowing us to identify 35 new CSRF vulnerabilities on 20 major websites and 3 previously undetected CSRF vulnerabilities on production software already analyzed using a state-of-the-art tool.

Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities / Calzavara, Stefano; Conti, Mauro; Focardi, Riccardo; Rabitti, Alvise; Tolomei, Gabriele. - (2019), pp. 528-543. (Intervento presentato al convegno 4th IEEE European Symposium on Security and Privacy, EURO S and P 2019 tenutosi a Stockholm; Sweden) [10.1109/EuroSP.2019.00045].

Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities

Mauro Conti;Gabriele Tolomei
2019

Abstract

Cross-Site Request Forgery (CSRF) is one of the oldest and simplest attacks on the Web, yet it is still effective on many websites and it can lead to severe consequences, such as economic losses and account takeovers. Unfortunately, tools and techniques proposed so far to identify CSRF vulnerabilities either need manual reviewing by human experts or assume the availability of the source code of the web application. In this paper we present Mitch, the first machine learning solution for the black-box detection of CSRF vulnerabilities. At the core of Mitch there is an automated detector of sensitive HTTP requests, i.e., requests which require protection against CSRF for security reasons. We trained the detector using supervised learning techniques on a dataset of 5,828 HTTP requests collected on popular websites, which we make available to other security researchers. Our solution outperforms existing detection heuristics proposed in the literature, allowing us to identify 35 new CSRF vulnerabilities on 20 major websites and 3 previously undetected CSRF vulnerabilities on production software already analyzed using a state-of-the-art tool.
2019
4th IEEE European Symposium on Security and Privacy, EURO S and P 2019
cross site request forgery; machine learning; web security
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities / Calzavara, Stefano; Conti, Mauro; Focardi, Riccardo; Rabitti, Alvise; Tolomei, Gabriele. - (2019), pp. 528-543. (Intervento presentato al convegno 4th IEEE European Symposium on Security and Privacy, EURO S and P 2019 tenutosi a Stockholm; Sweden) [10.1109/EuroSP.2019.00045].
File allegati a questo prodotto
File Dimensione Formato  
Calzavara_Mitch_2019.pdf

solo gestori archivio

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 532.3 kB
Formato Adobe PDF
532.3 kB Adobe PDF   Contatta l'autore

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1382688
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 23
  • ???jsp.display-item.citation.isi??? 12
social impact