Volume 6, Issue 10, October – 2021 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165

An Automated Detection System of Cross Site

Request Forgery (CSRF) Vulnerability in
Web Applications
Md. Afzal Ismail Md. Maruf Hassan
Department of Software Engineering Assistant Professor, Department of Software Engineering
Daffodil International University, Bangladesh Daffodil International University, Bangladesh

Abstract:- In the modern era of technology, the usage of According to datareportal, the number of internet
web applications has become enormous. Web users are getting humongous day by day and by the end of
applications are now dealing with much more sensitive April 2021, the total number hits the milestone of 4.72
data. As web applications dealing with sensitive data, billion overall users and most of the internet users are
they are encountering lots of threats. Intruders are always using web applications.[https://datareportal.com/global-
trying to find new ways to penetrate these applications digital- overview]
and misuse them. The attackers use vulnerabilities to
perform those attacks. Cross site request forgery aka As the targeted user community is huge, and getting
CSRF is one of the vital threats and top ranked web larger day by day, web application security has become a
application vulnerability. CSRF attack is a type of attack major issue because it constantly dealing with sensitive
where end users are forced to perform unwanted actions information and personal data. Moreover, exploiting web
on a web application in which they are currently application vulnerability of web applications is increasing
authenticated. In some previous researches, several due to the system flaws.
numbers of case studies are found. In many researches,
different types of models are proposed and developed. To II. RELATED WORK
secure the web applications that are vulnerable to CSRF
vulnerability, many more studies need to be done in this Cross site request forgery is a client-side attack where
field. Therefore, there is not enough studies on users tricked into doing some actions or perform unwanted
automated system to detect this CSRF vulnerability. activities. There's a vulnerability called Cross-site scripting
Therefore, the key focus of this research is to develop an in the web application. The reason behind this vulnerability
automated web application vulnerability detection model is improper input validation. This vulnerability creates so
for detecting the CSRF vulnerability in web applications. many problems. These problems can be happened for both
My proposed solution is to do real time scan of CSRF server-side and client side of that web application with the
vulnerability in given URL. help of CSRF attacks. (Nadar, V. M. et al. 2018).

Keywords:- CSRF Vulnerability, Cyber Security, Automated V. M. Nadar et al. developed an enhanced detecting
detection Tool, Web Application Vulnerability. model that can detect cross-site request forgery attack,
Broken Authentication and Session Management attack
I. INTRODUCTION within the same simulation environment. Their work has
only checked for the malicious script (V. M. Nadar et al.
Cross site request forgery is a web application 2018).
vulnerability. If this vulnerability exists in any web
applications means that there is some weakness in system or The Open Web Application Security Project also
it is misconfigured. It allows an attacker to access sensitive known as OWASP has listed SQL injection, CSRF and XSS
data, modify data, perform state changing actions etc. To vulnerabilities as the most frequently exploited
make this attack possible, an attacker tricks the user and make vulnerabilities. An intruder or attacker fixes the target or
requests from users’ browser and to the applications where victim user and try to executes malicious JavaScript in the
the user is currently authenticated. Successful CSRF attack target's browser. By approaching an attack with this process,
can lead to serious security breaches for both the website as the attacker never directly targets his victim but he exploits
well as the end user. a vulnerability in a web application which the targeted victim
visits. The malicious script that an attacker wants to execute
is a key factor in these types of attack. If the attacker has
become successful and plants the malicious script
successfully and executed, the attacker might be able to
access sensitive information such as sessionID, cookies etc.
(Nagpal, Chauhan et al. 2017).

IJISRT21OCT363 www.ijisrt.com 582

Volume 6, Issue 10, October – 2021 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Nagpal et al. developed a system engine which detects
SQL injection and stored CSRF attacks. Their study only
works for web applications based on php. (Nagpal, Chauhan
et al. 2017).

The CSRF vulnerability lies in a web application

where basically state changing actions are performed. So, to
detect the vulnerability, it's very important to track where and
when a security related state change action is performed
within the web application. (Liu, Shen et al. 2020).Liu et al.
developed a CSRF vulnerability detection model based on
graph data mining which can only detect the vulnerability
accurately if a state changing attack happens. (Liu, Shen et al.
2020).

Web applications usually use one type token which is

called secret validation token to prevent CSRF attacks.
Using the secret validation token is a well stablished server-
side protection against Cross-site request forgery attacks. Figure 1: System Architecture
The token basically works by validating the token
information which is send along with the other information This section is divided into three sub-section named:
to the http request to determine that the request is coming is - Web scrapping
actually coming from an authorized user or not.(Laila, - Analyze the data
Moustafa,.2018). Laila and Moustafa have developed a web - Response
browser extension for mitigating CSRF attacks.(Laila,
Moustafa,.2018). Web Scrapping: To implement a CSRF vulnerability
detector we have first used a web scrapping technique to
To perform a CSRF attack, the attacker doesn't need to extract data from URL. Web scrappers work by collecting
modify anything within the user's response or request. It will URLs of the pages from which pages we wanted the data. In
be enough for the attacker if the user visits the malicious scrapping, it makes a request to the targeted URL and fetch
websites of the attacker and from this malicious website, the necessary data and gives us the room to save that data into
attack will be launched. The author's also included that, if CSV files or in other formats. In CSRFD, we have used
any web application is vulnerable to CSRF attack, the web Beautifulsoup(BS4) to extract data from URL. It will first
application will be eventually exploitable by any malicious take the targeted URL and make a request to that URL.
websites on the web.(Stefano, Conti et al.2019).Stefano et al. Thereafter, it will fetch necessary data and save it in a CSV
developed a solution using machine learning for the black file.
box detection of CSRF vulnerability.(Stefano, Conti et
al.2019). Analyze the data: In scrapping section, we have saved the
data into CSV file. It is time to use that data. The system will
Contemplating the previous works best of my open the CSV file and read the data from that file.
knowledge, and the nature of the works, there are minimal Subsequently reading that data, the system will look for
number of works to detect cross site request forgery CSRF tokens. As far as CSRF vulnerability is concerned, to
vulnerability or attack automatically. Furthermore, most of prevent CSRF vulnerability, it is best method to use a secret
the works are to detect the attack not the vulnerability. token that the attacker cannot get. An attacker may get the
Therefore, a system is proposed to automatically detect sessionID but we need an additional token along with that
CSRF vulnerability. sessionID which will be total unknown to the attacker. Hence,
the attacker cannot misuse the sessionID. Here is the key
III. THE PROPOSED METHODOLOGY thing, to mitigate this vulnerability, a very much common and
renowned approach is to use CSRF tokens, or we can say Anti
In this section, the system architecture of our CSRF tokens. Web applications are usually developed based
“CSRFD”, our proposed solution is discussed. The workflow on frameworks, and various frameworks offer various types
diagram in the figure 1 demonstrate the system architecture of CSRF tokens or anti CSRF tokens. According to the
of our proposed solution. portswigger, a CSRF token is a type of token which is unique
and secret, which is an unpredictable value that an attacker
cannot guess. The value is generated by the server-side on
the web application. This CSRF token is placed in the client-
side of the web application in such way that it included with
every upcoming http request that the user has made.
[https://portswigger.net/web-security/csrf/tokens]

IJISRT21OCT363 www.ijisrt.com 583

Volume 6, Issue 10, October – 2021 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
These tokens are present in the hidden field and First of all, the system will take the seed URL. Now, it
encrypted in such way that attackers cannot guess the actual will check whether the URL is given in an appropriate
data. Moreover, this value changes with every request. format or not. If the format of URL is wrong, it will throw an
Hence, the attackers have no chance to reuse a previous exception to provide the URL in the correct format. The
piece of token data. correct format will be shown in that exception. If the URL is
valid and the format is appropriate, then the web scrapper
Here, two major conditions have encountered. will take the seed URL and send request to that targeted
1. If a web application using CSRF tokens, it will free from URL. In our system, the Beautifulsoup, A python-based
CSRF vulnerabilities. library will do the scrapping for our system. The version of
2. The token of that field has to change with every request. Beautifulsoup that we have used to develop our system is
BS4 version. After sending a request to that targeted URL,
Hence, in our system, we will first look for the csrf the web scrapper will fetch the data from that web
tokens, and if the token found, we will again send the application that we will need. After fetching that data, we
request to that url and check that the previous value of the will open a CSV file to store data, and necessary data will be
token is matchingwith the current token value or not. stored in that CSV file. Now, it will read that CSV file and
store necessary data in a list. Promptly, the system will
Response: Based on the conditions, our proposed system will check for conditions, and based on that condition, it will give
give necessary responses. There is some difference in the us response. The conditions that will be checked described
naming convention of that CSRF token or anti CSRF token. in the “Response” section.
For example, .NET framkework uses the name
“requestverificationtoken”. On the other hand, Laravel Figure 3 will give a glance over some of the base
framework use this token as "_token”, Rubi uses as conditions that are used in our solution:
“authenticity_token”. Most commonly used framework these
days Django uses it as “csrfmiddlewaretoken” etc. In our
system, it will first look for the token, if the token is not found
than the site may vulnerable to CSRF attacks. But if the token
exists, the web application may not be vulnerable to CSRF.
Figure 3: Some used conditions in our system
However, to make sure that the web application is actually
free from CSRF vulnerability, we have to check for the
Test Suite up : There are 22 web applications be selected to
randomness of that token. In that case, we need to check if
perform our tests. Here, we have collected some commonly
the token value is changing with every request or not. Based
used web applications by some users and included own site
on the responses, we can come to an interpretation about the
to perform works. Table 1 indicating the application names
web application.
and the types of that application. While implementing our
tool CSRFD, we have used a normal computer running on 64-
IV. THE PROPOSED ALGORITHM &
bit Windows 10. The spec sheet kind of looks like this (1.80
IMPLEMENTATION
GHz, Intel i7, 8GB RAM).
In this section, we will describe the central algorithm
Table 1: Details of test applications
of our system CSRFD. The figure 2 shows the algorithm of
our solution – Application Type
YTS Entertainment (Movie)
Zedge Personalization
Rokomari Online Book store
Netflix Streaming site
Programming World Blog
Standard Chattered Online Banking
Charismatic Online Cloth store
Brac bank Online Banking
Artstation Showcasing Platform
Facebook Social Site
Sundorban Courier Courier Service
DailyMotion Video Sharing
Twitter Social platform
Digital Photography School Learning
fmovies Free streaming site
7lakesbeauty Beauty Shop
Mayo Clinic Hospital
freepik Resource site for graphics
LaReve Clothing store
EB medicine Evidence based medical
Figure 2: Algorithm

IJISRT21OCT363 www.ijisrt.com 584

Volume 6, Issue 10, October – 2021 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
help vulnerable, the experimental results refers the web
application is expected to be safe. Moreover, if it is showing
DiabaticExpo Health a response to the web application vulnerable, it is very likely
BMIobject Architecture Designing to be vulnerable, but we need to keep in mind that the
response may be a false positive that sometimes.
V. EXPERIMENTAL RESULTS

The results of our experiment are listed in the Table 2.

In thattable, there is two main columns, where column 1 will
refer to the application name, and column 2 is referring to
the results of our experiment. Column 2 is divided into 3
sections. The first section is called “Successful”. In this
portion, we will consider that is our automated tool
successfully detects or not. The second section is called
“False Positive” and in this section we will consider that is
our tool showing any non– vulnerable application
vulnerable. In the third section named “False negative” is
basically a consideration about is our tool showing any
vulnerable site non-vulnerable or not.

Detection Figure 4: Potency of CSRFD

Application Successful False False
Positive Negative The effectiveness of our tool CSRFD achieved 90.91
YTS  percent accuracy with 9.09 percent of false positive and
Zedge  0(zero) percent of false negative rate. For an analytical type
Rokomari  tool such as CSRFD, the performance is acceptable.
Netflix 
Programming  VI. CONCLUSION
World
Standard  Web applications are usually restricted their
Chattered operations/options based on the user type and user
Charismatic  authentication. For example, A web application may have a
Brac bank  case scenario where without being logged in, the user cannot
Artstation  access some of the services that the application provides.
Hence, in our system we cannot perform the experiment on
Facebook 
each forms of web applications because of proper
Sundorban 
authentication. Hence, the concept is that, checking in the
Courier
Sign up or sign in forms. The justification for the concept is
DailyMotion 
that, our system works based on token analysis and these
Twitter  tokens are need to place in each form where post request
Digital  applies. Based on this concept, we have performed our
Photography experiment. Total number of 22 web applications have taken
School and the result is satisfactory. From table 2, we can see that
fmovies  among these 22 web applications, our system detects. An
7lakesbeauty  automated tool is implemented to detect the Cross-site
Mayo Clinic  request forgery vulnerability. The implemented solution uses
freepik  a web scrapper to fetch data and find vulnerabilities within
LaReve  the web form. This tool can perform a crucial role in the
EB medicine  detection of Cross-site Request Forgery vulnerability. The
DiabaticExpo  effectiveness of this tool is 90.91 percent. Our future plan is
 that to construct a Finite state automata (FSM) for this
BMIobject
detection model.
Table 2: Effectiveness of CSRFD
REFERENCES
Our proposed system CSRFD detects successfully 20
web applications over 22 web applications. The Figure 4
[1]. Farah, T., Shojol, M., Hassan, M., & Alam, D. (2016,
illustrate the potency of our experiment vulnerability
July). Assessment of vulnerabilities of web
successfully in 20 web applications. The false positive
applications of Bangladesh: A case study of XSS &
number is also minimal. The number is only 2. But the
CSRF. In 2016 sixth international conference on
number of false positive is 0(Zero). That means, if our
digital information and communication technology and
system gives us response that a web application is not
its applications (DICTAP) (pp. 74-78). IEEE.

IJISRT21OCT363 www.ijisrt.com 585

Volume 6, Issue 10, October – 2021 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
[2]. Lalia, S., & Moustafa, K. (2019, April).
Implementation of Web Browser Extension for
Mitigating CSRF Attack. In World Conference on
Information Systems and Technologies (pp. 867-880).
Springer, Cham.
[3]. Liu, C., Shen, X., Gao, M., & Dai, W.
(2020,
[4]. September). CSRF Detection Based on Graph Data
Mining. In 2020 IEEE 3rd International Conference on
Information Systems and Computer Aided Education
(ICISCAE) (pp. 475- 480). IEEE.
[5]. Nadar, V. M., Chatterjee, M., & Jacob, L. (2018). A
Defensive Approach for CSRF and Broken
Authentication and Session Management Attack. In
Ambient Communications and Computer Systems (pp.
577-588). Springer, Singapore.
[6]. Nagpal, B., Chauhan, N., & Singh, N. (2017).
SECSIX: Security engine for CSRF, SQL injection and
XSS attacks. International Journal of System
Assurance Engineering and Management, 8(2), 631-
644.
[7]. Soleimani, H., Hadavi, M. A., & Bagherdaei, A.
(2017, September). WAVE: Black Box Detection of
XSS, CSRF and Information Leakage Vulnerabilities. In
2017 14th International ISC (Iranian Society of
Cryptology) Conference on Information Security and
Cryptology (ISCISC) (pp. 19-24). IEEE.
[8]. Total Number of internet user worldwide |
Datareportal. Retrieved May 14 from,
https://datareportal.com/global- digital-overview
[9]. The CSRF detection cheat sheet | OWASP. Retrieved
May 03 from,
https://cheatsheetseries.owasp.org/cheatsheets/Cross-
Site_Request_Forgery_Prevention_Cheat_Sheet.html
[10]. Web Security CSRF token | Portswigger. Retrieved
April 20 from, https://portswigger.net/web-
security/csrf/tokens

IJISRT21OCT363 www.ijisrt.com 586