Note on Deemon CSRF Paper
Cross-Site Request Forgery (CSRF) - Attacker could utilize a crafted webpage that when victims open it, they would be conducted actions on logged in websites.
Common ways to mitigate:
- Unique XSRF token that would be verified at backend
- Utilize localStorage instead of cookie
- Validate Referer header
Problem to be addressed
Automatically discover CSRF vulnerabilities inside PHP application.
Which CSRF vulnerabilities are real vulnerabilities?
- Some endpoints may not change the state of the system (UPDATE/DELETE/INSERT to database)
- Some state changes may not be security relevant (loggings)
How can requests cause state changes?
- Determine whether CSRF anti-measures are enabled
- No web scanner could reason with internals of applications
How to scale?
- Reuse instances
Define $[U], C \to R$ (U=seq of user actions, C=application container, R=report)
Generate user actions:
- Utilizing frontend fuzzers
Gaining info on state transitions:
- Sniff network trace of interaction between application and MySQL
Reason with state transitions:
- Leverage labeled property (FSM+parse trees) to illustrate the state transition's relationship with requests
- CQL to query the graph
- May add symbolic execution to provide coverage report of the user actions, so as to improve efficiency and comprehensiveness
- Is there way to deceive Deemon?
- How to automtically generate CSRF protection for web applications?