Submit your paper : editorIJETjournal@gmail.com

Paper Title : Net Helplessness Detection: The Case of Cross-Site Request Forgery

ISSN : 2395-1303
Year of Publication : 2022
10.5281/zenodo.7263475

Authors: D.Shine Rajesh, Vanga Keerthi Sree ,Shravani Puppala .,Vadathya Sravani

         


Abstract
In this project, we propose a methodology to leverage Machine Learning (ML) for the detection of web application vulnerabilities. Web applications are particularly challenging to analyses, due to their diversity and the widespread adoption of custom programming practices. ML is thus very helpful for web application security: it can take advantage of manually labeled data to bring the human understanding of the web application semantics into automated analysis tools. We use our methodology in the design of Mitch, the first ML solution for the black-box detection of Cross-Site Request Forgery (CSRF) vulnerabilities. Mitch allowed us to identify 35 new CSRFs on 20 major websites and 3 new CSRFs on production software.

Reference
[1] Stefano Calzavara, Riccardo Focardi, Marco Squarcina, and Mauro Tempesta. Surviving the web: A journey into web session security. ACM Comput. Surv., 50(1):13:1–13:34, 2017 [2] Avinash Sudhodanan, Roberto Carbone, Luca Compagna, Nicolas Dolgin, Alessandro Armando, and Umberto Morelli. Large-scale analysis & detection of authentication cross-site request forgeries. In 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, April 26- 28, 2017, pages 350–365, 2017. [3] Stefano Calzavara, Alvise Rabitti, Alessio Ragazzo, and Michele Bugliesi. Testing for integrity flaws in web sessions. In Computer Security - 24rd European Symposium on Research in Computer Security, ESORICS 2019, Luxembourg, Luxembourg, September 23-27, 2019, pages 606–624, 2019. [4] OWASP. OWASP Testing Guide. https://www.owasp.org/index.php/ OWASP Testing Guide v4 Table of Contents, 2016. [5] Jason Bau, Elie Bursztein, Divij Gupta, and John C. Mitchell. State of the art: Automated black-box web application vulnerability testing. In 31st IEEE Symposium on Security and Privacy, S&P 2010, 16-19 May 2010, Berkeley/Oakland, California, USA, pages 332–345, 2010. [6] Adam Doupe, Marco Cova, and Giovanni Vigna. Why johnny can’t ´ pentest: An analysis of black-box web vulnerability scanners. In Detection of Intrusions and Malware, and Vulnerability Assessment, 7th International Conference, DIMVA 2010, Bonn, Germany, July 8-9, 2010. Proceedings, pages 111–131, 2010. [7] Adam Barth, Collin Jackson, and John C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, October 27-31, 2008, pages 75–88, 2008. [8] Mehryar Mohri, Afshin Rostamizadeh, and Ameet Talwalkar. Foundations of Machine Learning. The MIT Press, 2012. [9] Michael W. Kattan, Dennis A. Adams, and Michael S. Parks. A comparison of machine learning with human judgment. Journal of Management Information Systems, 9(4):37–57, March 1993. [10] D. A. Ferrucci. Introduction to “This is Watson”. IBM Journal of Research and Development, 56(3):235–249, May 2012. [11] David Silver, Aja Huang, Chris J. Maddison, Arthur Guez, Laurent Sifre, George van den Driessche, Julian Schrittwieser, Ioannis Antonoglou, Veda Panneershelvam, Marc Lanctot, Sander Dieleman, Dominik Grewe, John Nham, Nal Kalchbrenner, Ilya Sutskever, Timothy Lillicrap, Madeleine Leach, Koray Kavukcuoglu, Thore Graepel, and Demis Hassabis. Mastering the game of Go with deep neural networks and tree search. Nature, 529(7587):484–489, Jan 2016. [12] Michele Bugliesi, Stefano Calzavara, Riccardo Focardi, and Wilayat Khan. Cookiext: Patching the browser against session hijacking attacks. Journal of Computer Security, 23(4):509–537, 2015. [13] Stefano Calzavara, Gabriele Tolomei, Andrea Casini, Michele Bugliesi, and Salvatore Orlando. A supervised learning approach to protect client authentication on the web. TWEB, 9(3):15:1–15:30, 2015. [14] Stefano Calzavara, Mauro Conti, Riccardo Focardi, Alvise Rabitti, and Gabriele Tolomei. Mitch: A machine learning approach to the blackbox detection of CSRF vulnerabilities. In IEEE European Symposium on Security and Privacy, EuroS&P 2019, Stockholm, Sweden, June 17-19, 2019, pages 528–543, 2019. [15] Giancarlo Pellegrino, Martin Johns, Simon Koch, Michael Backes, and Christian Rossow. Deemon: Detecting CSRF with dynamic analysis and property graphs. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 1757– 1771, 2017. Stefano Calzavara is a tenure-track assistant professor at Universita Ca’ ` Foscari Venezia, Italy. He received a PhD in Computer Science at Universita` Ca’ Foscari Venezia, Italy, in 2013. His main research interests are formal methods and web security. Contact him at calzavara@dais.unive.it. Science at Universita Ca’ Foscari ` Venezia, Italy, in 2011. His main research interests are machine learning and web search. Mauro Conti is a full professor at University of Padua, Italy. He received a PhD in Computer Science at Sapienza University of Rome, Italy, in 2009. His main research interestes are computer security and privacy. Contact him at conti@math.unipd.it. Riccardo Focardi is a full professor at Universita Ca’ Foscari Venezia, Italy. ` He received a PhD in Computer Science at University of Bologna, Italy, in 1999. His main research interests are computer security and formal methods. Contact him at focardi@unive.it. Alvise Rabitti is a security officer at Universita Ca’ Foscari Venezia, Italy. He ` received a bachelor degree in Computer Science from Universita Ca’ Foscari ` Venezia, Italy, in 2013. His main research interests are web security and privacy. Contact him at alvise.rabitti@unive.it. Gabriele Tolomei is an associate professor at Sapienza University of Rome, Italy. He received a PhD in Computer
Keywords
— Net Helplessness Detection: The Case of Cross-Site Request Forgery