Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, May 12 • 14:10 - 14:55
Analysis and Detection of Authentication Cross-Site Request Forgery

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Cross-Site Request Forgery (CSRF) attacks are one of the critical threats for web applications. In this presentation, we focus on CSRF attacks that affects web sites’ authentication and identity management functionalities. We call them collectively as Authentication CSRF. If carried out successfully, Authentication CSRF attacks can cause sensitive information theft, account hijack, etc. We will present seven security testing strategies that can be used by a tester to manually detect vulnerabilities causing Authentication CSRF. We will also present CSRF-Checker, a proof-of-concept tool based on OWASP ZAP that helps in the semi-automatic detection of Authentication CSRF. Additionally, we will describe our experience of testing Alexa top 1500 web sites using our manual and semi-automatic Authentication CSRF testing strategies. The results are alarming, we discovered 191 vulnerable web sites spread across Alexa top 1500, including web sites from top vendors such as Microsoft, Google, etc.

Speakers
avatar for Luca Compagna

Luca Compagna

Researcher, SAP
Dr. Luca Compagna is part of the Security Research team at SAP where is contributing to the research strategy and to the software security analysis area in particular. He received his Ph.D. in Computer Science jointly from the U. of Genova and U. of Edinburgh. His area of interes... Read More →
avatar for Avinash Sudhodanan

Avinash Sudhodanan

Early Stage Researcher, Fondazione Bruno Kessler
Avinash Sudhodanan is an Early Stage Researcher at the Security & Trust Unit of Fondazione Bruno Kessler and a 3rd year PhD student at University of Trento. He is focusing his research on Automatic Analysis of Browser-Based Security Protocols (in the context of the EU project SEC... Read More →


Friday May 12, 2017 14:10 - 14:55
Waterfront Center: Hall 1A