Исследование атак типа «Cross-Site Request Forgery» в рамках проведения анализа уязвимостей веб-приложений

Barabanov A.V,Polotnyanschikov I.A,Lavrov A.I,Tsirlov V.L,Markov A.S

doi:10.15514/ispras-2017-29(5)-1

Barabanov A.V, Polotnyanschikov I.A + Show 3 more

Open Access

https://doi.org/10.15514/ispras-2017-29(5)-1

Copy DOI

Abstract

Nowadays, web applications are one of the most popular types of target of evaluation within the framework of the information security certification. The relevance of the study of web applications vulnerabilities during information security certification is due to the fact that web technologies are actively used while producing modern information systems, including information systems critical from the information security point of view, and on the other hand carrying out basic attacks on such information systems do not require violators of high technical competence, since data on typical vulnerabilities and attacks, including the attacking tools are heavily represented in publicly available sources of information, and the information systems themselves are usually available from public communication networks. The paper presents the results of a study of the security of web applications that are target of evaluation within the framework of certification for information security requirements against cross-site requests forgery attacks. The results of systematization and generalization of information about the cross-site requests forgery attacks and security controls used by web application developers are presented. The results of experimental studies of 10 web applications that have passed certification tests against information security requirements are presented. The results of experimental studies have shown that most developers do not pay enough attention to protection from cross-site request forgery attack - 7 out of 10 web applications tested have been vulnerable to this type of attack. Based on the results of processing the results of experimental studies, the distribution of security controls used in web applications and identified vulnerabilities by programming languages were obtained. Recommendations regarding the protection of web applications against cross-site request forgery attack for developers planning to certify their software are formulated.

Highlights

Software created with the use of web-technologies is currently one of the main components in automated control system (ACS) design
Software vulnerabilities are analyzed during certification for compliance with the requirements to the protection profiles approved by FSTEC of Russia (Federal Service for Technology and Export Control), which clearly includes requirements of AVA_VAN assurance family “Vulnerability analysis”, and during testing for compliance with the requirements of the technical specifications and classic governing documents of FSTEC of Russia
The procedure for vulnerability analysis recommended by FSTEC of Russia consists in the joint use of approaches specified in the Common Methodology for Information Technology Security Evaluation and ISO/IEC TR 20004 [3]

Summary

Introduction

Software created with the use of web-technologies is currently one of the main components in automated control system (ACS) design. Various procedures (such as certification, independent security audit) are currently used to lower probability of successful attack They are aimed at identifying vulnerabilities in the software used to design ACS [1, 2]. Success of CSRF-attack is determined by the following factors [7, 8]: The browser automatically applies authentication data of the user (for instance, session cookie-files), when sending HTTP-request to the webapplication; Web-application uses the obtained authentication data to authorize the action required for performance by HTTP-request. The most popular security measures against CSRF-attacks are tokens (synchronic tokens or generated using HMAC cryptographic function) that are generated and checked on the web-application side This security measure is implemented, as a rule, by the web-application itself or the framework. It can be a combination of tokens, verification of HTTP-header and security measures that require actions from the end user, who performs a critical operation (entry of onetime code/ password)

Methods and results of the study

Findings

Conclusions