IMDEA Software

IMDEA initiative

Home > Events > Software Seminar Series > 2018 > Analysis and Detection of Authentication Cross-Site Request Forgeries

Avinash Sudhodanan

Tuesday, January 23, 2018

10:45am Lecture hall 1, level B

Avinash Sudhodanan, Post-doctoral Researcher, IMDEA Software Institute

Analysis and Detection of Authentication Cross-Site Request Forgeries

Abstract:

Cross-Site Request Forgery (CSRF) attacks are one of the critical threats to web applications. In a CSRF attack, an attacker forces the victim’s web browser to send HTTP requests which benefits the attacker (and/or harms the victim) in some way. In this talk I will be focusing on CSRF attacks targeting web sites’ authentication and identity management functionalities (also known as Authentication CSRF). The possible impacts of Authentication CSRF attacks include account hijack, personal information theft and cross-site scripting. I will present different variants of Authentication CSRF attacks, detection strategies and the available countermeasures. I will also discuss the findings of the experiments conducted by my former colleagues and myself on the Alexa top 1500 web sites. For instance, out of the 265 web sites we tested, 70% of them were vulnerable (including the web sites of Microsoft, Google, eBay, Instagram etc.). We also responsibly disclosed our findings to the affected vendors and received bounties and/or honorable mentions.