Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks
Xhelal Likaj, Soheil Khodayari, Giancarlo Pellegrino
Abstract
Cross-Site Request Forgery (CSRF) is among the oldest web vulnerabilities that, despite its popularity and severity, it is still an understudied security problem. In this paper, we undertake one of the first security evaluations of CSRF defense as implemented by popular web frameworks, with the overarching goal to identify additional explanations to the occurrences of such an old vulnerability. Starting from a review of existing literature, we identify 16 CSRF defenses and 18 potential threats agains them. Then, we evaluate the source code of the 44 most popular web frameworks across five languages (i.e., JavaScript, Python, Java, PHP, and C#) covering about 5.5 million LoCs, intending to determine the implemented defenses and their exposure to the identified threats. We also quantify the quality of web frameworks’ documentation, looking for incomplete, misleading, or insufficient information required by developers to use the implemented CSRF defenses correctly.