Experimental analyses in search of effective mitigation for login cross-site request forgery

Abstract

Advancements in web applications and on-line services continue to stimulate business growth and other applications across the globe. Alongside these developments are the increasing cyber security risks and vulnerabilities, inevitably entailing mitigations. Web application vulnerabilities are security holes, which attackers may attempt to exploit, hence potentially causing serious damage to business, such as stealing sensitive data and compromising business resources. Since web applications are now widely used, critical business environments such as internet banking, communication of sensitive data and online shopping, require robust protective measures against a wide range of vulnerabilities. This work explores remediation methods – HTTP header verification, tokenisation and challenge-response authentication of vulnerabilities against login CSRF attacks. Experiments comprising of nine test cases with the three mitigation methods and three vulnerabilities are conducted to identify whether exploitation of vulnerabilities was able to bypass a mitigation method and how the mitigation behaved in web applications of virtual environments. Using techniques and specific scripts of simulated web applications, three mitigation methods are mapped to the exploitation of the three vulnerabilities in different settings in search of an optimal solution. Results indicate that the HTTP header verification was not successful in protecting users from clickjacking exploitation, while it was successful in protecting against XSS and CSRF attacks. Further, exploitation of the three vulnerabilities bypassed the tokenisation mitigation and XSS attacks were prevented by challenge-response authentication, although exploitation of clickjacking and CSRF defeated the mitigation. The significance of these results lies in the fact that different methods are effective or ineffective in different conditions and therefore no single solution can be considered as most appropriate for web applications. The study concludes that best practices can be sought through empirical and experimental studies, via which observation and analysis of behaviours of different solutions under different scenarios of attacks are conducted. Such experiments, designed to bypass mitigations, provide insights into robust and appropriate implementation approaches and, in the era of Artificial Intelligence and Big Data, they should be routinely and automatically conducted.