SlideShare a Scribd company logo

SOHIL_RM (1).pptx

Download as PPTX, PDF
S
SanketPatel295815

This document summarizes 5 papers on researching CSRF protection in web frameworks. Paper 1 analyzes CSRF mitigation levels in popular JavaScript frameworks and finds that Express, Koa, and Hapi provide level 3 protection through plugins, while Sails has level 4 built-in protection and Meteor level 5 through architecture. Paper 2 surveys CSRF defenses across frameworks and maps them to threats. It finds defenses are inconsistently implemented and most frameworks combine multiple defenses. Paper 3 presents an algorithm called Mitch that uses machine learning to detect CSRF vulnerabilities as a black-box by analyzing differences in responses to sensitive versus insensitive requests. Paper 4 also uses machine learning for CSRF detection and tests it on existing

Science
1 of 61
Web Security
A REVIEW ON CSRF PROTECTION RESEARCH METHODOLOGY (3710001) Prepared By: SOHIL LALAKIYA (220280723006)
CONTENTS OF THIS PRESENTATION  Abstract  Introduction  Literature Review  Summarization  Future work possibility  Conclusion  References
ABSTRACT  There are many frameworks released every year and a well designed framework may help developers create secure web applications.  Cross-Site Request Forgery (CSRF) is among the oldest web vulnerabilities that, despite its popularity and severity, it is still an understudied security problem.  So here we will create and analyze open source application and identified the percentage of protected application for each framework.
INTRODUCTION  Here, we decided to study how CSRF protection is implemented in popular frameworks and to analyze how the different levels of mitigation control implementation affect the security of applications developed with those frameworks. SECURITY
LITERATURE REVIEW
PAPERS 1. CSRF protection in JavaScript frameworks and the security of JavaScript applications. [1] 2. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks. [2] 3. Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications. [3] 4. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery. [4] 5. Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities. [5]
PAPER 1  CSRF protection in JavaScript frameworks and the security of JavaScript applications. [1] • Published in High-Confidence Computing on December 2021
PROBLEM STATEMENT ● JavaScript frameworks are released every year and we don’t know how cross-site request forgery vulnerability is mitigated in several server- side JavaScript frameworks.
WHY JAVASCRIPT  It’s because according to StackOverflow Developer Survey of 2021, JavaScript is named ”the most commonly used programming language” for the ninth year in a row. [1]
Security Levels ● L0 - No mitigation in place. This provides a base case of lack of any protection. ● L1 - Custom function that is written by developers and is included in their own code ● L2 - An external library that provides a sanitization function ● L3 - A framework plugin , similar to an external library, that is a third- party code used by developers. ● L4 - Built-in mitigation control , that is implemented in the framework as a function or feature
Frameworks and Libraries We selected four JavaScript frameworks based on their popularity Express For CSRF protection, there are two popular plugins: csrf and csurf Koa The most commonly used for CSRF protection is the koa-csrf plugin 01 02 03 04 05 Hapi.js The crumb plugin implements CSRF protection with the double-submit cookie technique Sails.js Sails has several built-in security features. And one of such security features is CSRF protection. Meteor.js No HTTP only Distributed Data Protocol (DDP), To maintain sessions it store session token in the LS instead of a cookie.
EXPRESS  For CSRF protection there are two popular plugins: csrf and csurf in Express, csurf middleware builds on top of the csrf middleware and it provides protection at level L3. Fig:1.1 Express [1]
Koa  The most commonly used for CSRF protection is the koa-csrf plugin in Koa. It is used globally, and the token can be submitted in the request body, as a query parameter, or as an HTTP header. The koa-csrf plugin implements the CSRF security control at level L3. Fig: 1.2 Koa [1]
Hapi.js  The most common plugin for CSRF protection is crumb and it implements CSRF protection with the double-submit cookie technique. Thus, similar to Express and Koa, the Hapi framework provides the CSRF security control with the crumb plugin at mitigation level L3. Fig:1.3 Hapi [1]
Sails.js  Sails has several built-in security features which are configured as policies and implemented as middleware functions. One of such security features is CSRF protection. Therefore, it implements the CSRF protection at level L4 Fig: 1.4 Sails [1]
Meteor.js  Meteor.js use Distributed Data Protocol (DDP) Instead of sending traditional HTTP requests, to exchange data between the server and the client.  To maintain sessions, Meteor stores a session to- ken in the local-Storage instead of a cookie, which is used to establish a long-lived WebSocket connection.  it implements the CSRF protection at level L5 - Architecture-level mitigation control.
FINAL RESULTS
RESULT ANALYSIS Table 1: Results Tables [1]
FUTURE WORK  Most of javascript library which use plugins for CSRF protection, they provide L3 level security but we can improve it to L4.
PAPER 2  Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks • Published in Association for Computing Machinery, New York on 7 October 2021
TABLE 1 Overview of CSRF defenses and threats. The left part summarizes our survey of CSRF defenses. The right part shows the mapping between each defense and potential threats. [2]
TABLE 2 Frequency of the combination of CSRF defenses. Each entry in this symmetric table shows the number of frameworks that use a certain combination. [2]
TABLE 3 Summary of results on top five frameworks of top five languages. [2]
TABLE 4 Summary of results on less popular frameworks of top four languages. Only five frameworks were identified for C#. [2]
PAPER 3  Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities • Published in: 2019 IEEE European Symposium on Security and Privacy (EuroS&P)
PROBLEM STATEMENT  Deemon is the first research tool that automatically detects CSRF vulnerabilities but it works for PHP only and but previous research highlighted that existing web application scanners are not effective in this task.
HTTP REQUEST CLASSIFICATION  Structural is the category of features describes structural properties of an HTTP request.  numerical features • numOfParams • numOfBools • numOfBlobs • reqLen
HTTP REQUEST CLASSIFICATION ● The average number of parameters of sensitive requests is around 6.27, while for insensitive ones this is 3.43. ● it is evident that the median value of numOfParams is significantly higher for sensitive than for insensitive HTTP requests. Fig: 3.1 - Distribution of numOfParam [3]
HTTP REQUEST CLASSIFICATION ● This figure suggests that the length of sensitive requests is somewhat more consistent and bounded within a smaller range of generally higher values. Fig: 3.2 - Distribution of reqLen [3]
HTTP REQUEST CLASSIFICATION ● Here this is distribution of the two features isGET and isPOST across sensitive and insensitive requests. ● We observe that about 30% of POST requests are labeled as sensitive, while only 5% of GET requests are sensitive. Fig: 3.3 - Distribution of class labels across the two functional features [3]
Feature Importance ● we use the importance score as provided by the scikit-learn package, which in turn implements it using Gini impurity Here is the top- 10 most important features derived from our RF classifier. ● We can observe that the two most important features are and numOfParams, followed by the two features reqLen encoding the request method. Fig: 3.4 - Top10 most important features derived from our RF [3]
CSRF Detection Algorithm ● the algorithm works by first building a set of candidate vulnerabilities, based on sensitive requests which produce dissimilar responses. Fig: 3.5 - Algorithm 1 CSRF Detection Algorithm [3]
SOLUTION ● Adversarial learning is an active research area whose main goal is designing classification algorithms which are robust to the presence of attackers who actively try to fool them into misprediction Fig: 3.6 Mitch architecture[3]
FUTURE WORK ● There are a number of avenues for future work. Adversarial learning is an active research area whose main goal is designing classification algorithms which are robust to the presence of attackers who actively try to fool them into misprediction
PAPER 4  Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery • Published in Elsevier Microprocessor and Microsystems journal, Volume 80, Article 103615, February 2021
PROBLEM STATEMENT ● For automated CSRF prevention SameSite cookie attribute can be used to prevent cookie attachment on cross-site requests. ● Unfortunately, this defense is not yet widespread.
SOLUTION  supervised learning automatically train a classifier which partitions selected web objects of interest, e.g. HTTP requests, HTTP responses or cookies, based on the web application semantics. For example, in the case of CSRF detection, the classifier would be used to identify security- sensitive HTTP requests.
Architecture of Mitch Fig: 4.1 Mitch architecture[4]
CSRF DETECTION ON EXISTING WEBSITES Table: 4.1 - CSRF DETECTION ON EXISTING WEBSITES [4]
CSRF DETECTION ON PRODUCTION SOFTWARE Table: 4.2 - CSRF DETECTION ON PRODUCTION SOFTWARE [4]
PAPER 5  Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications • Published in Elsevier Microprocessor and Microsystems journal, Volume 80, Article 103615, February 2021
PROBLEM STATEMENT • It impact on the speed and performance of the browser. Shahriar and Zolkernine implemented a plugin. • This approach was manually and time consuming. OWASP has developed a tool, namely CSRFTester • Deemon can’t be used in web-application. Deemon is another tool designed to detect CSRF vulnerabilities
CSRF DETECTION SYSTEM Architecture of the Proposed CSRF Detection System. Fig: 5.1 - The Architecture of the Proposed CSRF Detection System. [5]
CSRF DETECTION RULES The Order of Applying Anti-CSRF Detection Rules. Fig: 5.2 - The Order of Applying Anti-CSRF Detection Rules. [5]
ARCHITECTURE The Architecture of Our System to Detect Resistant Requests Against CSRF. Fig: 5.3 - The Architecture of Our System to Detect Resistant Requests Against CSRF.[5]
DETECTION RULES • The confidence rules divide detected tokens into two sets of reliable and unreliable tokens Confidence Rules: Remove the false detections. All request-level tokens are removed from the set of session-level tokens. Precision rules:
RESULTS The Number of Detected Anti-CSRF Tokens vs. the Expected Number of Anti-CSRF Tokens for Chmail With the Augmented Traffic. Table: 5.1 - Anti-CSRF token detect.[5]
FUTURE WORK  We plan to investigate more on the CSRF defense mechanisms and extend the proposed rules to reduce the number of false detections of the method.  we also plan to work on the implementation issues of our method and improve the efficiency of the current implementation.
CSRF PROTECTION SUMMARIZATION
SUMMARIZATION Sr no. Name of paper Publication details Proposed solution Research possibility Tools and technology 1. CSRF protection in JavaScript frameworks and the security of JavaScript applications. Published in High- Confidence Computing December 2021 Got the external plugins for CSRF protection. Can work for extra level security and find the plugin with extra security. JavaScript, Express, Koa, Hapi.js, Sails.js, Meteor.js
SUMMARIZATION Sr no. Name of paper Publication details Proposed solution Research possibility Tools and technology 2. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks Published in Association for Computing Machinery, New York on 7 October 2021 Analyze new threats and get the solutions according to threat. Can work on analyse new threat or it’s categories and check it’s security level. Frameworks of JavaScript, Java, Python, PHP, C#
SUMMARIZATION Sr no. Name of paper Publication details Proposed solution Research possibility Tools and technology 3. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery Published in: IEEE Security & Privacy ( Volume:18) On 22 January 2020 Filter sensitive and insensitive requests and apply CSRF detection algorithm. Plan to improve classifiers and reduce the number of false positive and false negative reported by mitch. Supervised learning, ML-Classifier, Python, Mitch.
SUMMARIZATION Sr no. Name of paper Publication details Proposed solution Research possibility Tools and technology 4. Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities Published in: 2019 IEEE European Symposium on Security and Privacy (EuroS&P) Black-box detection of CSRF Vulnerabilities Using VGG- 16 approach for the classification of disease as it gives the most optimal solution. Supervised learning, ML-Classifier, Python, Mitch.
SUMMARIZATION Sr no. Name of paper Publication details Proposed solution Research possibility Tools and technology 5. Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications Published in Elsevier Microproces sor and Microsystem s journal, Volume 80, Article 103615, February 2021 Black-Box detection of CSRF Vulnerabilities in web application. extend the proposed rules to reduce the number of false detections of the method. Open Web Application Security Project, buggy web application
FUTURE WORK POSSIBILITY
FUTURE WORK POSSIBILITY  We can work on finding best plugin which provides high security level to our JS library.  Adversarial learning whose main goal is make fool to attacker.  We plan to investigate more on the CSRF defense mechanisms and extend the proposed rules to reduce the number of false detections of the method.  we also plan to work on the implementation issues of our method and improve the efficiency of the current implementation.
 Cross-Site Request Forgery (CSRF) is one of the oldest and simplest attacks on the Web, yet it is still effective on many websites and it can lead to severe consequences, such as economic losses and account takeovers. Unfortunately, tools and techniques proposed so far to identify CSRF vulnerabilities either need manual reviewing by human experts or assume the availability of the source code of the web application. CONCLUSION
REFERENCES REFERENCES REFERENCES REFERENCES REFERENCES REFERENCES REFERENCES
REFERENCES 1. CSRF protection in JavaScript frameworks and the security of JavaScript applications. [1] 2. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks. [2] 3. Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications. [3] 4. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery. [4] 5. Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities. [5]
THANK YOU

Recommended

www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.com
IJERD Editor
 
2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdf2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdf
AlexKarasulu1
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
IJNSA Journal
 
WIRELESS COMPUTING AND IT ECOSYSTEMS
WIRELESS COMPUTING AND IT ECOSYSTEMSWIRELESS COMPUTING AND IT ECOSYSTEMS
WIRELESS COMPUTING AND IT ECOSYSTEMS
cscpconf
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability Assessment
VESIT/University of Mumbai
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
UltraUploader
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker
akila_mano
 
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Student
 

Recommended

www.ijerd.com
www.ijerd.comwww.ijerd.com
www.ijerd.com
IJERD Editor
 
2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdf2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdf
AlexKarasulu1
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
IJNSA Journal
 
WIRELESS COMPUTING AND IT ECOSYSTEMS
WIRELESS COMPUTING AND IT ECOSYSTEMSWIRELESS COMPUTING AND IT ECOSYSTEMS
WIRELESS COMPUTING AND IT ECOSYSTEMS
cscpconf
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability Assessment
VESIT/University of Mumbai
 
Attacking antivirus
Attacking antivirusAttacking antivirus
Attacking antivirus
UltraUploader
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker
akila_mano
 
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Signature Free Virus Blocking Method to Detect Software Code Security (Intern...
Student
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
AvinashRanjan80
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Software Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextSoftware Reverse Engineering in a Security Context
Software Reverse Engineering in a Security Context
Lokendra Rawat
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
ijseajournal
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)
LeClubQualiteLogicielle
 
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud ComputingCloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
ijtsrd
 
A035401010
A035401010A035401010
A035401010
inventionjournals
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
IJRESJOURNAL
 
A hybrid model to detect malicious executables
A hybrid model to detect malicious executablesA hybrid model to detect malicious executables
A hybrid model to detect malicious executables
UltraUploader
 
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONSSECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
ijseajournal
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
Zain Abid
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
LDAP Injection Techniques
LDAP Injection TechniquesLDAP Injection Techniques
LDAP Injection Techniques
Chema Alonso
 
Introduction to llvm
Introduction to llvmIntroduction to llvm
Introduction to llvm
Tao He
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Alex Senkevitch
 
Review the steps found in business process engineering. Review the.docx
Review the steps found in business process engineering. Review the.docxReview the steps found in business process engineering. Review the.docx
Review the steps found in business process engineering. Review the.docx
joellemurphey
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
IRJET Journal
 
Aspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NETAspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NET
Waqas Tariq
 
Resume_Appaji
Resume_AppajiResume_Appaji
Resume_Appaji
Appaji K
 
22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars
22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars
22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars
RDhivya6
 
Quality assurance B.pharm 6th semester BP606T UNIT 5
Quality assurance B.pharm 6th semester BP606T UNIT 5Quality assurance B.pharm 6th semester BP606T UNIT 5
Quality assurance B.pharm 6th semester BP606T UNIT 5
vimalveerammal
 

More Related Content

Similar to SOHIL_RM (1).pptx

FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
AvinashRanjan80
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Software Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextSoftware Reverse Engineering in a Security Context
Software Reverse Engineering in a Security Context
Lokendra Rawat
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
ijseajournal
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)
LeClubQualiteLogicielle
 
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud ComputingCloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
ijtsrd
 
A035401010
A035401010A035401010
A035401010
inventionjournals
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
IJRESJOURNAL
 
A hybrid model to detect malicious executables
A hybrid model to detect malicious executablesA hybrid model to detect malicious executables
A hybrid model to detect malicious executables
UltraUploader
 
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONSSECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
ijseajournal
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
Zain Abid
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
LDAP Injection Techniques
LDAP Injection TechniquesLDAP Injection Techniques
LDAP Injection Techniques
Chema Alonso
 
Introduction to llvm
Introduction to llvmIntroduction to llvm
Introduction to llvm
Tao He
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Alex Senkevitch
 
Review the steps found in business process engineering. Review the.docx
Review the steps found in business process engineering. Review the.docxReview the steps found in business process engineering. Review the.docx
Review the steps found in business process engineering. Review the.docx
joellemurphey
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
IRJET Journal
 
Aspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NETAspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NET
Waqas Tariq
 
Resume_Appaji
Resume_AppajiResume_Appaji
Resume_Appaji
Appaji K
 

Similar to SOHIL_RM (1).pptx (20)

FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Reverse Engineering in a Security Context
Software Reverse Engineering in a Security ContextSoftware Reverse Engineering in a Security Context
Software Reverse Engineering in a Security Context
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)
 
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud ComputingCloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
 
A035401010
A035401010A035401010
A035401010
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
 
A hybrid model to detect malicious executables
A hybrid model to detect malicious executablesA hybrid model to detect malicious executables
A hybrid model to detect malicious executables
 
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONSSECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
SECURITY FOR DEVOPS DEPLOYMENT PROCESSES: DEFENSES, RISKS, RESEARCH DIRECTIONS
 
Factors Affecting the System Safety || Linux
Factors Affecting the System Safety || LinuxFactors Affecting the System Safety || Linux
Factors Affecting the System Safety || Linux
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
 
LDAP Injection Techniques
LDAP Injection TechniquesLDAP Injection Techniques
LDAP Injection Techniques
 
Introduction to llvm
Introduction to llvmIntroduction to llvm
Introduction to llvm
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
 
Review the steps found in business process engineering. Review the.docx
Review the steps found in business process engineering. Review the.docxReview the steps found in business process engineering. Review the.docx
Review the steps found in business process engineering. Review the.docx
 
Effective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaSEffective Information Flow Control as a Service: EIFCaaS
Effective Information Flow Control as a Service: EIFCaaS
 
Aspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NETAspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NET
 
Resume_Appaji
Resume_AppajiResume_Appaji
Resume_Appaji
 

Recently uploaded

22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars
22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars
22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars
RDhivya6
 
Quality assurance B.pharm 6th semester BP606T UNIT 5
Quality assurance B.pharm 6th semester BP606T UNIT 5Quality assurance B.pharm 6th semester BP606T UNIT 5
Quality assurance B.pharm 6th semester BP606T UNIT 5
vimalveerammal
 
Evaluation and Identification of J'BaFofi the Giant Spider of Congo and Moke...
Evaluation and Identification of J'BaFofi the Giant Spider of Congo and Moke...Evaluation and Identification of J'BaFofi the Giant Spider of Congo and Moke...
Evaluation and Identification of J'BaFofi the Giant Spider of Congo and Moke...
MrSproy
 
Mechanics:- Simple and Compound Pendulum
Mechanics:- Simple and Compound PendulumMechanics:- Simple and Compound Pendulum
Mechanics:- Simple and Compound Pendulum
PravinHudge1
 
2001_Book_HumanChromosomes - Genéticapdf
2001_Book_HumanChromosomes - Genéticapdf2001_Book_HumanChromosomes - Genéticapdf
2001_Book_HumanChromosomes - Genéticapdf
lucianamillenium
 
Compositions of iron-meteorite parent bodies constrainthe structure of the pr...
Compositions of iron-meteorite parent bodies constrainthe structure of the pr...Compositions of iron-meteorite parent bodies constrainthe structure of the pr...
Compositions of iron-meteorite parent bodies constrainthe structure of the pr...
Sérgio Sacani
 
BIRDS DIVERSITY OF SOOTEA BISWANATH ASSAM.ppt.pptx
BIRDS DIVERSITY OF SOOTEA BISWANATH ASSAM.ppt.pptxBIRDS DIVERSITY OF SOOTEA BISWANATH ASSAM.ppt.pptx
BIRDS DIVERSITY OF SOOTEA BISWANATH ASSAM.ppt.pptx
goluk9330
 
Holsinger, Bruce W. - Music, body and desire in medieval culture [2001].pdf
Holsinger, Bruce W. - Music, body and desire in medieval culture [2001].pdfHolsinger, Bruce W. - Music, body and desire in medieval culture [2001].pdf
Holsinger, Bruce W. - Music, body and desire in medieval culture [2001].pdf
frank0071
 
Mapping the Growth of Supermassive Black Holes as a Function of Galaxy Stella...
Mapping the Growth of Supermassive Black Holes as a Function of Galaxy Stella...Mapping the Growth of Supermassive Black Holes as a Function of Galaxy Stella...
Mapping the Growth of Supermassive Black Holes as a Function of Galaxy Stella...
Sérgio Sacani
 
Candidate young stellar objects in the S-cluster: Kinematic analysis of a sub...
Candidate young stellar objects in the S-cluster: Kinematic analysis of a sub...Candidate young stellar objects in the S-cluster: Kinematic analysis of a sub...
Candidate young stellar objects in the S-cluster: Kinematic analysis of a sub...
Sérgio Sacani
 
Gadgets for management of stored product pests_Dr.UPR.pdf
Gadgets for management of stored product pests_Dr.UPR.pdfGadgets for management of stored product pests_Dr.UPR.pdf
Gadgets for management of stored product pests_Dr.UPR.pdf
PirithiRaju
 
acanthocytes_causes_etiology_clinical sognificance-future.pptx
acanthocytes_causes_etiology_clinical sognificance-future.pptxacanthocytes_causes_etiology_clinical sognificance-future.pptx
acanthocytes_causes_etiology_clinical sognificance-future.pptx
muralinath2
 
Lattice Defects in ionic solid compound.pptx
Lattice Defects in ionic solid compound.pptxLattice Defects in ionic solid compound.pptx
Lattice Defects in ionic solid compound.pptx
DrRajeshDas
 
BANANA BUNCHY TOP K R.pptx
BANANA BUNCHY TOP K R.pptxBANANA BUNCHY TOP K R.pptx
BANANA BUNCHY TOP K R.pptx
KARTHIK REDDY C A
 
Embracing Deep Variability For Reproducibility and Replicability
Embracing Deep Variability For Reproducibility and ReplicabilityEmbracing Deep Variability For Reproducibility and Replicability
Embracing Deep Variability For Reproducibility and Replicability
University of Rennes, INSA Rennes, Inria/IRISA, CNRS
 
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
PsychoTech Services
 
seed production, Nursery & Gardening.pdf
seed production, Nursery & Gardening.pdfseed production, Nursery & Gardening.pdf
seed production, Nursery & Gardening.pdf
Nistarini College, Purulia (W.B) India
 
Synopsis presentation VDR gene polymorphism and anemia (2).pptx
Synopsis presentation VDR gene polymorphism and anemia (2).pptxSynopsis presentation VDR gene polymorphism and anemia (2).pptx
Synopsis presentation VDR gene polymorphism and anemia (2).pptx
FarhanaHussain18
 
Nutaceuticsls herbal drug technology CVS, cancer.pptx
Nutaceuticsls herbal drug technology CVS, cancer.pptxNutaceuticsls herbal drug technology CVS, cancer.pptx
Nutaceuticsls herbal drug technology CVS, cancer.pptx
vimalveerammal
 
gastroretentive drug delivery system-PPT.pptx
gastroretentive drug delivery system-PPT.pptxgastroretentive drug delivery system-PPT.pptx
gastroretentive drug delivery system-PPT.pptx
Shekar Boddu
 

Recently uploaded (20)

22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars
22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars
22PH503 - Astronomy and Astrophysics - Unit 2 - Spectral Classification of Stars
 
Quality assurance B.pharm 6th semester BP606T UNIT 5
Quality assurance B.pharm 6th semester BP606T UNIT 5Quality assurance B.pharm 6th semester BP606T UNIT 5
Quality assurance B.pharm 6th semester BP606T UNIT 5
 
Evaluation and Identification of J'BaFofi the Giant Spider of Congo and Moke...
Evaluation and Identification of J'BaFofi the Giant Spider of Congo and Moke...Evaluation and Identification of J'BaFofi the Giant Spider of Congo and Moke...
Evaluation and Identification of J'BaFofi the Giant Spider of Congo and Moke...
 
Mechanics:- Simple and Compound Pendulum
Mechanics:- Simple and Compound PendulumMechanics:- Simple and Compound Pendulum
Mechanics:- Simple and Compound Pendulum
 
2001_Book_HumanChromosomes - Genéticapdf
2001_Book_HumanChromosomes - Genéticapdf2001_Book_HumanChromosomes - Genéticapdf
2001_Book_HumanChromosomes - Genéticapdf
 
Compositions of iron-meteorite parent bodies constrainthe structure of the pr...
Compositions of iron-meteorite parent bodies constrainthe structure of the pr...Compositions of iron-meteorite parent bodies constrainthe structure of the pr...
Compositions of iron-meteorite parent bodies constrainthe structure of the pr...
 
BIRDS DIVERSITY OF SOOTEA BISWANATH ASSAM.ppt.pptx
BIRDS DIVERSITY OF SOOTEA BISWANATH ASSAM.ppt.pptxBIRDS DIVERSITY OF SOOTEA BISWANATH ASSAM.ppt.pptx
BIRDS DIVERSITY OF SOOTEA BISWANATH ASSAM.ppt.pptx
 
Holsinger, Bruce W. - Music, body and desire in medieval culture [2001].pdf
Holsinger, Bruce W. - Music, body and desire in medieval culture [2001].pdfHolsinger, Bruce W. - Music, body and desire in medieval culture [2001].pdf
Holsinger, Bruce W. - Music, body and desire in medieval culture [2001].pdf
 
Mapping the Growth of Supermassive Black Holes as a Function of Galaxy Stella...
Mapping the Growth of Supermassive Black Holes as a Function of Galaxy Stella...Mapping the Growth of Supermassive Black Holes as a Function of Galaxy Stella...
Mapping the Growth of Supermassive Black Holes as a Function of Galaxy Stella...
 
Candidate young stellar objects in the S-cluster: Kinematic analysis of a sub...
Candidate young stellar objects in the S-cluster: Kinematic analysis of a sub...Candidate young stellar objects in the S-cluster: Kinematic analysis of a sub...
Candidate young stellar objects in the S-cluster: Kinematic analysis of a sub...
 
Gadgets for management of stored product pests_Dr.UPR.pdf
Gadgets for management of stored product pests_Dr.UPR.pdfGadgets for management of stored product pests_Dr.UPR.pdf
Gadgets for management of stored product pests_Dr.UPR.pdf
 
acanthocytes_causes_etiology_clinical sognificance-future.pptx
acanthocytes_causes_etiology_clinical sognificance-future.pptxacanthocytes_causes_etiology_clinical sognificance-future.pptx
acanthocytes_causes_etiology_clinical sognificance-future.pptx
 
Lattice Defects in ionic solid compound.pptx
Lattice Defects in ionic solid compound.pptxLattice Defects in ionic solid compound.pptx
Lattice Defects in ionic solid compound.pptx
 
BANANA BUNCHY TOP K R.pptx
BANANA BUNCHY TOP K R.pptxBANANA BUNCHY TOP K R.pptx
BANANA BUNCHY TOP K R.pptx
 
Embracing Deep Variability For Reproducibility and Replicability
Embracing Deep Variability For Reproducibility and ReplicabilityEmbracing Deep Variability For Reproducibility and Replicability
Embracing Deep Variability For Reproducibility and Replicability
 
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
Sexuality - Issues, Attitude and Behaviour - Applied Social Psychology - Psyc...
 
seed production, Nursery & Gardening.pdf
seed production, Nursery & Gardening.pdfseed production, Nursery & Gardening.pdf
seed production, Nursery & Gardening.pdf
 
Synopsis presentation VDR gene polymorphism and anemia (2).pptx
Synopsis presentation VDR gene polymorphism and anemia (2).pptxSynopsis presentation VDR gene polymorphism and anemia (2).pptx
Synopsis presentation VDR gene polymorphism and anemia (2).pptx
 
Nutaceuticsls herbal drug technology CVS, cancer.pptx
Nutaceuticsls herbal drug technology CVS, cancer.pptxNutaceuticsls herbal drug technology CVS, cancer.pptx
Nutaceuticsls herbal drug technology CVS, cancer.pptx
 
gastroretentive drug delivery system-PPT.pptx
gastroretentive drug delivery system-PPT.pptxgastroretentive drug delivery system-PPT.pptx
gastroretentive drug delivery system-PPT.pptx
 

SOHIL_RM (1).pptx

  • 2. A REVIEW ON CSRF PROTECTION RESEARCH METHODOLOGY (3710001) Prepared By: SOHIL LALAKIYA (220280723006)
  • 3. CONTENTS OF THIS PRESENTATION  Abstract  Introduction  Literature Review  Summarization  Future work possibility  Conclusion  References
  • 4. ABSTRACT  There are many frameworks released every year and a well designed framework may help developers create secure web applications.  Cross-Site Request Forgery (CSRF) is among the oldest web vulnerabilities that, despite its popularity and severity, it is still an understudied security problem.  So here we will create and analyze open source application and identified the percentage of protected application for each framework.
  • 5. INTRODUCTION  Here, we decided to study how CSRF protection is implemented in popular frameworks and to analyze how the different levels of mitigation control implementation affect the security of applications developed with those frameworks. SECURITY
  • 7. PAPERS 1. CSRF protection in JavaScript frameworks and the security of JavaScript applications. [1] 2. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks. [2] 3. Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications. [3] 4. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery. [4] 5. Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities. [5]
  • 8. PAPER 1  CSRF protection in JavaScript frameworks and the security of JavaScript applications. [1] • Published in High-Confidence Computing on December 2021
  • 9. PROBLEM STATEMENT ● JavaScript frameworks are released every year and we don’t know how cross-site request forgery vulnerability is mitigated in several server- side JavaScript frameworks.
  • 10. WHY JAVASCRIPT  It’s because according to StackOverflow Developer Survey of 2021, JavaScript is named ”the most commonly used programming language” for the ninth year in a row. [1]
  • 11. Security Levels ● L0 - No mitigation in place. This provides a base case of lack of any protection. ● L1 - Custom function that is written by developers and is included in their own code ● L2 - An external library that provides a sanitization function ● L3 - A framework plugin , similar to an external library, that is a third- party code used by developers. ● L4 - Built-in mitigation control , that is implemented in the framework as a function or feature
  • 12. Frameworks and Libraries We selected four JavaScript frameworks based on their popularity Express For CSRF protection, there are two popular plugins: csrf and csurf Koa The most commonly used for CSRF protection is the koa-csrf plugin 01 02 03 04 05 Hapi.js The crumb plugin implements CSRF protection with the double-submit cookie technique Sails.js Sails has several built-in security features. And one of such security features is CSRF protection. Meteor.js No HTTP only Distributed Data Protocol (DDP), To maintain sessions it store session token in the LS instead of a cookie.
  • 13. EXPRESS  For CSRF protection there are two popular plugins: csrf and csurf in Express, csurf middleware builds on top of the csrf middleware and it provides protection at level L3. Fig:1.1 Express [1]
  • 14. Koa  The most commonly used for CSRF protection is the koa-csrf plugin in Koa. It is used globally, and the token can be submitted in the request body, as a query parameter, or as an HTTP header. The koa-csrf plugin implements the CSRF security control at level L3. Fig: 1.2 Koa [1]
  • 15. Hapi.js  The most common plugin for CSRF protection is crumb and it implements CSRF protection with the double-submit cookie technique. Thus, similar to Express and Koa, the Hapi framework provides the CSRF security control with the crumb plugin at mitigation level L3. Fig:1.3 Hapi [1]
  • 16. Sails.js  Sails has several built-in security features which are configured as policies and implemented as middleware functions. One of such security features is CSRF protection. Therefore, it implements the CSRF protection at level L4 Fig: 1.4 Sails [1]
  • 17. Meteor.js  Meteor.js use Distributed Data Protocol (DDP) Instead of sending traditional HTTP requests, to exchange data between the server and the client.  To maintain sessions, Meteor stores a session to- ken in the local-Storage instead of a cookie, which is used to establish a long-lived WebSocket connection.  it implements the CSRF protection at level L5 - Architecture-level mitigation control.
  • 19. RESULT ANALYSIS Table 1: Results Tables [1]
  • 20. FUTURE WORK  Most of javascript library which use plugins for CSRF protection, they provide L3 level security but we can improve it to L4.
  • 21. PAPER 2  Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks • Published in Association for Computing Machinery, New York on 7 October 2021
  • 22. TABLE 1 Overview of CSRF defenses and threats. The left part summarizes our survey of CSRF defenses. The right part shows the mapping between each defense and potential threats. [2]
  • 23. TABLE 2 Frequency of the combination of CSRF defenses. Each entry in this symmetric table shows the number of frameworks that use a certain combination. [2]
  • 24. TABLE 3 Summary of results on top five frameworks of top five languages. [2]
  • 25. TABLE 4 Summary of results on less popular frameworks of top four languages. Only five frameworks were identified for C#. [2]
  • 26. PAPER 3  Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities • Published in: 2019 IEEE European Symposium on Security and Privacy (EuroS&P)
  • 27. PROBLEM STATEMENT  Deemon is the first research tool that automatically detects CSRF vulnerabilities but it works for PHP only and but previous research highlighted that existing web application scanners are not effective in this task.
  • 28. HTTP REQUEST CLASSIFICATION  Structural is the category of features describes structural properties of an HTTP request.  numerical features • numOfParams • numOfBools • numOfBlobs • reqLen
  • 29. HTTP REQUEST CLASSIFICATION ● The average number of parameters of sensitive requests is around 6.27, while for insensitive ones this is 3.43. ● it is evident that the median value of numOfParams is significantly higher for sensitive than for insensitive HTTP requests. Fig: 3.1 - Distribution of numOfParam [3]
  • 30. HTTP REQUEST CLASSIFICATION ● This figure suggests that the length of sensitive requests is somewhat more consistent and bounded within a smaller range of generally higher values. Fig: 3.2 - Distribution of reqLen [3]
  • 31. HTTP REQUEST CLASSIFICATION ● Here this is distribution of the two features isGET and isPOST across sensitive and insensitive requests. ● We observe that about 30% of POST requests are labeled as sensitive, while only 5% of GET requests are sensitive. Fig: 3.3 - Distribution of class labels across the two functional features [3]
  • 32. Feature Importance ● we use the importance score as provided by the scikit-learn package, which in turn implements it using Gini impurity Here is the top- 10 most important features derived from our RF classifier. ● We can observe that the two most important features are and numOfParams, followed by the two features reqLen encoding the request method. Fig: 3.4 - Top10 most important features derived from our RF [3]
  • 33. CSRF Detection Algorithm ● the algorithm works by first building a set of candidate vulnerabilities, based on sensitive requests which produce dissimilar responses. Fig: 3.5 - Algorithm 1 CSRF Detection Algorithm [3]
  • 34. SOLUTION ● Adversarial learning is an active research area whose main goal is designing classification algorithms which are robust to the presence of attackers who actively try to fool them into misprediction Fig: 3.6 Mitch architecture[3]
  • 35. FUTURE WORK ● There are a number of avenues for future work. Adversarial learning is an active research area whose main goal is designing classification algorithms which are robust to the presence of attackers who actively try to fool them into misprediction
  • 36. PAPER 4  Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery • Published in Elsevier Microprocessor and Microsystems journal, Volume 80, Article 103615, February 2021
  • 37. PROBLEM STATEMENT ● For automated CSRF prevention SameSite cookie attribute can be used to prevent cookie attachment on cross-site requests. ● Unfortunately, this defense is not yet widespread.
  • 38. SOLUTION  supervised learning automatically train a classifier which partitions selected web objects of interest, e.g. HTTP requests, HTTP responses or cookies, based on the web application semantics. For example, in the case of CSRF detection, the classifier would be used to identify security- sensitive HTTP requests.
  • 39. Architecture of Mitch Fig: 4.1 Mitch architecture[4]
  • 40. CSRF DETECTION ON EXISTING WEBSITES Table: 4.1 - CSRF DETECTION ON EXISTING WEBSITES [4]
  • 41. CSRF DETECTION ON PRODUCTION SOFTWARE Table: 4.2 - CSRF DETECTION ON PRODUCTION SOFTWARE [4]
  • 42. PAPER 5  Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications • Published in Elsevier Microprocessor and Microsystems journal, Volume 80, Article 103615, February 2021
  • 43. PROBLEM STATEMENT • It impact on the speed and performance of the browser. Shahriar and Zolkernine implemented a plugin. • This approach was manually and time consuming. OWASP has developed a tool, namely CSRFTester • Deemon can’t be used in web-application. Deemon is another tool designed to detect CSRF vulnerabilities
  • 44. CSRF DETECTION SYSTEM Architecture of the Proposed CSRF Detection System. Fig: 5.1 - The Architecture of the Proposed CSRF Detection System. [5]
  • 45. CSRF DETECTION RULES The Order of Applying Anti-CSRF Detection Rules. Fig: 5.2 - The Order of Applying Anti-CSRF Detection Rules. [5]
  • 46. ARCHITECTURE The Architecture of Our System to Detect Resistant Requests Against CSRF. Fig: 5.3 - The Architecture of Our System to Detect Resistant Requests Against CSRF.[5]
  • 47. DETECTION RULES • The confidence rules divide detected tokens into two sets of reliable and unreliable tokens Confidence Rules: Remove the false detections. All request-level tokens are removed from the set of session-level tokens. Precision rules:
  • 48. RESULTS The Number of Detected Anti-CSRF Tokens vs. the Expected Number of Anti-CSRF Tokens for Chmail With the Augmented Traffic. Table: 5.1 - Anti-CSRF token detect.[5]
  • 49. FUTURE WORK  We plan to investigate more on the CSRF defense mechanisms and extend the proposed rules to reduce the number of false detections of the method.  we also plan to work on the implementation issues of our method and improve the efficiency of the current implementation.
  • 51. SUMMARIZATION Sr no. Name of paper Publication details Proposed solution Research possibility Tools and technology 1. CSRF protection in JavaScript frameworks and the security of JavaScript applications. Published in High- Confidence Computing December 2021 Got the external plugins for CSRF protection. Can work for extra level security and find the plugin with extra security. JavaScript, Express, Koa, Hapi.js, Sails.js, Meteor.js
  • 52. SUMMARIZATION Sr no. Name of paper Publication details Proposed solution Research possibility Tools and technology 2. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks Published in Association for Computing Machinery, New York on 7 October 2021 Analyze new threats and get the solutions according to threat. Can work on analyse new threat or it’s categories and check it’s security level. Frameworks of JavaScript, Java, Python, PHP, C#
  • 53. SUMMARIZATION Sr no. Name of paper Publication details Proposed solution Research possibility Tools and technology 3. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery Published in: IEEE Security & Privacy ( Volume:18) On 22 January 2020 Filter sensitive and insensitive requests and apply CSRF detection algorithm. Plan to improve classifiers and reduce the number of false positive and false negative reported by mitch. Supervised learning, ML-Classifier, Python, Mitch.
  • 54. SUMMARIZATION Sr no. Name of paper Publication details Proposed solution Research possibility Tools and technology 4. Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities Published in: 2019 IEEE European Symposium on Security and Privacy (EuroS&P) Black-box detection of CSRF Vulnerabilities Using VGG- 16 approach for the classification of disease as it gives the most optimal solution. Supervised learning, ML-Classifier, Python, Mitch.
  • 55. SUMMARIZATION Sr no. Name of paper Publication details Proposed solution Research possibility Tools and technology 5. Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications Published in Elsevier Microproces sor and Microsystem s journal, Volume 80, Article 103615, February 2021 Black-Box detection of CSRF Vulnerabilities in web application. extend the proposed rules to reduce the number of false detections of the method. Open Web Application Security Project, buggy web application
  • 57. FUTURE WORK POSSIBILITY  We can work on finding best plugin which provides high security level to our JS library.  Adversarial learning whose main goal is make fool to attacker.  We plan to investigate more on the CSRF defense mechanisms and extend the proposed rules to reduce the number of false detections of the method.  we also plan to work on the implementation issues of our method and improve the efficiency of the current implementation.
  • 58.  Cross-Site Request Forgery (CSRF) is one of the oldest and simplest attacks on the Web, yet it is still effective on many websites and it can lead to severe consequences, such as economic losses and account takeovers. Unfortunately, tools and techniques proposed so far to identify CSRF vulnerabilities either need manual reviewing by human experts or assume the availability of the source code of the web application. CONCLUSION
  • 60. REFERENCES 1. CSRF protection in JavaScript frameworks and the security of JavaScript applications. [1] 2. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks. [2] 3. Automatic Black-Box Detection of Resistance Against CSRF Vulnerabilities in Web Applications. [3] 4. Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery. [4] 5. Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities. [5]