This document summarizes 5 papers on researching CSRF protection in web frameworks. Paper 1 analyzes CSRF mitigation levels in popular JavaScript frameworks and finds that Express, Koa, and Hapi provide level 3 protection through plugins, while Sails has level 4 built-in protection and Meteor level 5 through architecture. Paper 2 surveys CSRF defenses across frameworks and maps them to threats. It finds defenses are inconsistently implemented and most frameworks combine multiple defenses. Paper 3 presents an algorithm called Mitch that uses machine learning to detect CSRF vulnerabilities as a black-box by analyzing differences in responses to sensitive versus insensitive requests. Paper 4 also uses machine learning for CSRF detection and tests it on existing

1. Web Security

2. A REVIEW
ON CSRF
PROTECTION
RESEARCH METHODOLOGY (3710001)
Prepared By:
SOHIL LALAKIYA (220280723006)

3. CONTENTS OF THIS PRESENTATION
 Abstract
 Introduction
 Literature Review
 Summarization
 Future work possibility
 Conclusion
 References

4. ABSTRACT
 There are many frameworks released every year and a
well designed framework may help developers create
secure web applications.
 Cross-Site Request Forgery (CSRF) is among the oldest
web vulnerabilities that, despite its popularity and
severity, it is still an understudied security problem.
 So here we will create and analyze open source
application and identified the percentage of protected
application for each framework.

5. INTRODUCTION
 Here, we decided to study how
CSRF protection is implemented in
popular frameworks and to analyze
how the different levels of
mitigation control implementation
affect the security of applications
developed with those frameworks.
SECURITY

6. LITERATURE
REVIEW

7. PAPERS
1. CSRF protection in JavaScript frameworks and the security of JavaScript
applications. [1]
2. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks. [2]
3. Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in
Web Applications. [3]
4. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site
Request Forgery. [4]
5. Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF
Vulnerabilities. [5]

8. PAPER 1
 CSRF protection in JavaScript frameworks
and the security of JavaScript
applications. [1]
• Published in High-Confidence Computing on December 2021

9. PROBLEM STATEMENT
● JavaScript frameworks are released every year and
we don’t know how cross-site request forgery
vulnerability is mitigated in several server- side
JavaScript frameworks.

10. WHY JAVASCRIPT
 It’s because according to StackOverflow Developer Survey of 2021, JavaScript is named ”the
most commonly used programming language” for the ninth year in a row. [1]

11. Security Levels
● L0 - No mitigation in place. This provides a base case of lack
of any protection.
● L1 - Custom function that is written by developers and is
included in their own code
● L2 - An external library that provides a sanitization function
● L3 - A framework plugin , similar to an external library, that is
a third- party code used by developers.
● L4 - Built-in mitigation control , that is implemented in the
framework as a function or feature

12. Frameworks and Libraries
We selected four JavaScript
frameworks based on their
popularity
Express
For CSRF protection, there are two
popular plugins: csrf and csurf
Koa
The most commonly used for CSRF
protection is the koa-csrf plugin
01
02
03
04
05
Hapi.js
The crumb plugin implements CSRF
protection with the double-submit
cookie technique
Sails.js
Sails has several built-in security
features. And one of such security
features is CSRF protection.
Meteor.js
No HTTP only Distributed Data
Protocol (DDP), To maintain
sessions it store session token in
the LS instead of a cookie.

13. EXPRESS
 For CSRF protection there are two popular plugins: csrf and csurf in
Express, csurf middleware builds on top of the csrf middleware and it
provides protection at level L3.
Fig:1.1 Express [1]

14. Koa
 The most commonly used for CSRF protection is the koa-csrf plugin in Koa. It
is used globally, and the token can be submitted in the request body, as a
query parameter, or as an HTTP header. The koa-csrf plugin implements the
CSRF security control at level L3.
Fig: 1.2 Koa [1]

15. Hapi.js
 The most common plugin for CSRF protection is crumb and it implements
CSRF protection with the double-submit cookie technique. Thus, similar to
Express and Koa, the Hapi framework provides the CSRF security control with
the crumb plugin at mitigation level L3.
Fig:1.3 Hapi [1]

16. Sails.js
 Sails has several built-in security features which are configured as policies
and implemented as middleware functions. One of such security features is
CSRF protection. Therefore, it implements the CSRF protection at level L4
Fig: 1.4 Sails [1]

17. Meteor.js
 Meteor.js use Distributed Data Protocol (DDP) Instead of sending traditional
HTTP requests, to exchange data between the server and the client.
 To maintain sessions, Meteor stores a session to- ken in the local-Storage
instead of a cookie, which is used to establish a long-lived WebSocket
connection.
 it implements the CSRF protection at level L5 - Architecture-level mitigation
control.

18. FINAL
RESULTS

19. RESULT ANALYSIS
Table 1: Results Tables [1]

20. FUTURE WORK
 Most of javascript library which use plugins for CSRF
protection, they provide L3 level security but we can
improve it to L4.

21. PAPER 2
 Where We Stand (or Fall): An Analysis of
CSRF Defenses in Web Frameworks
• Published in Association for Computing Machinery, New York
on 7 October 2021

22. TABLE 1
Overview of CSRF defenses and threats. The left part summarizes our survey of CSRF
defenses. The right part shows the mapping between each defense and potential threats. [2]

23. TABLE 2
Frequency of the combination of CSRF defenses. Each
entry in this symmetric table shows the number of
frameworks that use a certain combination. [2]

24. TABLE 3
Summary of results on top five frameworks of top five languages. [2]

25. TABLE 4
Summary of results on less popular frameworks of top four languages. Only five
frameworks were identified for C#. [2]

26. PAPER 3
 Mitch: A Machine Learning Approach to
the Black-Box Detection of CSRF
Vulnerabilities
• Published in: 2019 IEEE European Symposium on Security
and Privacy (EuroS&P)

27. PROBLEM STATEMENT
 Deemon is the first research tool
that automatically detects CSRF
vulnerabilities but it works for PHP
only and but previous research
highlighted that existing web
application scanners are not
effective in this task.

28. HTTP REQUEST CLASSIFICATION
 Structural is the category of features describes
structural properties of an HTTP request.
 numerical features
• numOfParams
• numOfBools
• numOfBlobs
• reqLen

29. HTTP REQUEST CLASSIFICATION
● The average number of parameters of sensitive requests is around 6.27, while for
insensitive ones this is 3.43.
● it is evident that the median value of numOfParams is significantly higher for
sensitive than for insensitive HTTP requests.
Fig: 3.1 - Distribution of numOfParam [3]

30. HTTP REQUEST CLASSIFICATION
● This figure suggests that the length of sensitive requests is somewhat
more consistent and bounded within a smaller range of generally higher
values.
Fig: 3.2 - Distribution of reqLen [3]

31. HTTP REQUEST CLASSIFICATION
● Here this is distribution of the two features isGET and isPOST across sensitive and
insensitive requests.
● We observe that about 30% of POST requests are labeled as sensitive, while only
5% of GET requests are sensitive.
Fig: 3.3 - Distribution of class labels across the two functional
features [3]

32. Feature Importance
● we use the importance score as provided by the scikit-learn package, which in turn
implements it using Gini impurity Here is the top- 10 most important features
derived from our RF classifier.
● We can observe that the two most important features are and numOfParams,
followed by the two features reqLen encoding the request method.
Fig: 3.4 - Top10 most important features derived from
our RF [3]

33. CSRF Detection Algorithm
● the algorithm works by first building a set of candidate vulnerabilities,
based on sensitive requests which produce dissimilar responses.
Fig: 3.5 - Algorithm 1 CSRF Detection Algorithm [3]

34. SOLUTION
● Adversarial learning is an active research area whose main goal is designing
classification algorithms which are robust to the presence of attackers who actively
try to fool them into misprediction
Fig: 3.6 Mitch architecture[3]

35. FUTURE WORK
● There are a number of avenues for future work. Adversarial
learning is an active research area whose main goal is
designing classification algorithms which are robust to the
presence of attackers who actively try to fool them into
misprediction

36. PAPER 4
 Machine Learning for Web Vulnerability
Detection: The Case of Cross-Site
Request Forgery
• Published in Elsevier Microprocessor and Microsystems
journal, Volume 80, Article 103615, February 2021

37. PROBLEM STATEMENT
● For automated CSRF prevention SameSite cookie attribute
can be used to prevent cookie attachment on cross-site
requests.
● Unfortunately, this defense is not yet widespread.

38. SOLUTION
 supervised learning automatically train a classifier which
partitions selected web objects of interest, e.g. HTTP
requests, HTTP responses or cookies, based on the web
application semantics. For example, in the case of CSRF
detection, the classifier would be used to identify security-
sensitive HTTP requests.

39. Architecture of Mitch
Fig: 4.1 Mitch architecture[4]

40. CSRF DETECTION ON EXISTING WEBSITES
Table: 4.1 - CSRF DETECTION ON EXISTING WEBSITES [4]

41. CSRF DETECTION ON PRODUCTION SOFTWARE
Table: 4.2 - CSRF DETECTION ON PRODUCTION
SOFTWARE [4]

42. PAPER 5
 Automatic Black-Box Detection of
Resistance Against CSRF Vulnerabilities in
Web Applications
• Published in Elsevier Microprocessor and Microsystems
journal, Volume 80, Article 103615, February 2021

43. PROBLEM STATEMENT
• It impact on the speed and performance of the browser.
Shahriar and Zolkernine implemented a
plugin.
• This approach was manually and time consuming.
OWASP has developed a tool, namely
CSRFTester
• Deemon can’t be used in web-application.
Deemon is another tool designed to
detect CSRF vulnerabilities

44. CSRF DETECTION SYSTEM
Architecture of the Proposed CSRF Detection
System.
Fig: 5.1 - The Architecture of the Proposed CSRF
Detection System. [5]

45. CSRF DETECTION RULES
The Order of Applying Anti-CSRF Detection
Rules.
Fig: 5.2 - The Order of Applying Anti-CSRF Detection
Rules. [5]

46. ARCHITECTURE
The Architecture of Our System to Detect
Resistant Requests Against CSRF.
Fig: 5.3 - The Architecture of Our System to Detect
Resistant Requests Against CSRF.[5]

47. DETECTION RULES
• The confidence rules divide
detected tokens into two sets
of reliable and unreliable
tokens
Confidence
Rules:
Remove the false detections.
All request-level tokens are
removed from the set of
session-level tokens.
Precision
rules:

48. RESULTS
The Number of Detected Anti-CSRF Tokens vs. the
Expected Number of Anti-CSRF Tokens for Chmail With
the Augmented Traffic.
Table: 5.1 - Anti-CSRF token detect.[5]

49. FUTURE WORK
 We plan to investigate more on the CSRF defense mechanisms
and extend the proposed rules to reduce the number of false
detections of the method.
 we also plan to work on the implementation issues of our method
and improve the efficiency of the current implementation.

50. CSRF PROTECTION
SUMMARIZATION

51. SUMMARIZATION
Sr no. Name of paper Publication
details
Proposed
solution
Research
possibility
Tools and
technology
1. CSRF
protection in
JavaScript
frameworks
and the
security of
JavaScript
applications.
Published in
High-
Confidence
Computing
December
2021
Got the
external
plugins for
CSRF
protection.
Can work for
extra level
security and
find the plugin
with extra
security.
JavaScript,
Express,
Koa,
Hapi.js,
Sails.js,
Meteor.js

52. SUMMARIZATION
Sr no. Name of paper Publication
details
Proposed
solution
Research
possibility
Tools and
technology
2. Where We
Stand (or Fall):
An Analysis of
CSRF
Defenses in
Web
Frameworks
Published in
Association
for
Computing
Machinery,
New York on
7 October
2021
Analyze new
threats and
get the
solutions
according to
threat.
Can work on
analyse new
threat or it’s
categories
and check it’s
security level.
Frameworks
of JavaScript,
Java,
Python,
PHP,
C#

53. SUMMARIZATION
Sr no. Name of paper Publication
details
Proposed
solution
Research
possibility
Tools and
technology
3. Machine
Learning for
Web
Vulnerability
Detection: The
Case of
Cross-Site
Request
Forgery
Published in:
IEEE
Security &
Privacy
( Volume:18)
On 22
January
2020
Filter
sensitive and
insensitive
requests and
apply CSRF
detection
algorithm.
Plan to
improve
classifiers
and reduce
the number of
false positive
and false
negative
reported by
mitch.
Supervised
learning,
ML-Classifier,
Python,
Mitch.

54. SUMMARIZATION
Sr no. Name of paper Publication
details
Proposed
solution
Research
possibility
Tools and
technology
4. Mitch: A
Machine
Learning
Approach to
the
Black-Box
Detection of
CSRF
Vulnerabilities
Published in:
2019 IEEE
European
Symposium
on Security
and Privacy
(EuroS&P)
Black-box
detection of
CSRF
Vulnerabilities
Using VGG-
16 approach
for the
classification
of disease as
it gives the
most optimal
solution.
Supervised
learning,
ML-Classifier,
Python,
Mitch.

55. SUMMARIZATION
Sr no. Name of paper Publication
details
Proposed
solution
Research
possibility
Tools and
technology
5. Automatic
Black-Box
Detection of
Resistance
Against CSRF
Vulnerabilities
in Web
Applications
Published in
Elsevier
Microproces
sor and
Microsystem
s journal,
Volume 80,
Article
103615,
February
2021
Black-Box
detection of
CSRF
Vulnerabilities
in web
application.
extend the
proposed
rules to
reduce the
number of
false
detections of
the method.
Open Web
Application
Security
Project,
buggy web
application

56. FUTURE
WORK
POSSIBILITY

57. FUTURE WORK POSSIBILITY
 We can work on finding best plugin which provides high security
level to our JS library.
 Adversarial learning whose main goal is make fool to attacker.
 We plan to investigate more on the CSRF defense mechanisms and
extend the proposed rules to reduce the number of false
detections of the method.
 we also plan to work on the implementation issues of our method
and improve the efficiency of the current implementation.

58.  Cross-Site Request Forgery (CSRF) is one of
the oldest and simplest attacks on the Web,
yet it is still effective on many websites and it
can lead to severe consequences, such as
economic losses and account takeovers.
Unfortunately, tools and techniques
proposed so far to identify CSRF
vulnerabilities either need manual reviewing
by human experts or assume the availability
of the source code of the web application.
CONCLUSION

59. REFERENCES
REFERENCES
REFERENCES
REFERENCES
REFERENCES
REFERENCES
REFERENCES

60. REFERENCES
1. CSRF protection in JavaScript frameworks and the security of JavaScript
applications. [1]
2. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks. [2]
3. Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in
Web Applications. [3]
4. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site
Request Forgery. [4]
5. Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF
Vulnerabilities. [5]

61. THANK YOU