Litcius/Paper detail

Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks

Xhelal Likaj, Soheil Khodayari, Giancarlo Pellegrino

202119 citationsDOIOpen Access PDF

Abstract

Cross-Site Request Forgery (CSRF) is among the oldest web vulnerabilities that, despite its popularity and severity, it is still an understudied security problem. In this paper, we undertake one of the first security evaluations of CSRF defense as implemented by popular web frameworks, with the overarching goal to identify additional explanations to the occurrences of such an old vulnerability. Starting from a review of existing literature, we identify 16 CSRF defenses and 18 potential threats agains them. Then, we evaluate the source code of the 44 most popular web frameworks across five languages (i.e., JavaScript, Python, Java, PHP, and C#) covering about 5.5 million LoCs, intending to determine the implemented defenses and their exposure to the identified threats. We also quantify the quality of web frameworks’ documentation, looking for incomplete, misleading, or insufficient information required by developers to use the implemented CSRF defenses correctly.

Topics & Concepts

JavaScriptComputer scienceWorld Wide WebPython (programming language)PopularityWeb applicationWeb application securityDocumentationCross-site scriptingJavaSource codeSecure codingVulnerability (computing)Computer securityWeb developmentThe InternetInformation securityProgramming languageSoftware security assurancePolitical scienceLawSecurity serviceWeb Application Security VulnerabilitiesSecurity and Verification in ComputingAdvanced Malware Detection Techniques
Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks | Litcius