Web Susceptibility Findings by Machine Learning in the Case of Cross-web Request Falsification
Keywords:
Machine learning, cross-site request forgery, net securityAbstract
this article, we have a tendency to propose a strategy to leverage Machine Learning (ML) for the detection of net application vulnerabilities. net applications area unit significantly difficult to analyze, thanks to their diversity and also the widespread adoption of custom programming practices. Milliliter is so terribly useful for net application security: it will benefit of manually tagged information to bring the human understanding of the net application linguistics into automatic analysis tools. we have a tendency to use our methodology within the style of Mitch, the primary milliliter answer for the black-box detection of Cross-Site Request Falsification(CSRF) vulnerabilities. Mitch allowed U.S.A. to spot thirty five new CSRFs on twenty major websites and three new CSRFs on production package.
Downloads
References
Stefano Calzavara, Riccardo Focardi, Marco Squarcina, and Mauro Tempesta. Surviving the web: A journey into web session security. ACM Comput. Surv., 50(1):13:1–13:34, 2017.
Avinash Sudhodanan, Roberto Carbone, Luca Compagna, Nicolas Dol- gin, Alessandro Armando, and Umberto Morelli. Large-scale analysis & detection of authentication cross-site request forgeries. In 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, April 26-28, 2017, pages 350–365, 2017.
Stefano Calzavara, Alvise Rabitti, Alessio Ragazzo, and Michele Bugliesi. Testing for integrity flaws in web sessions. In Computer Security - 24rd European Symposium on Research in Computer Security, ESORICS 2019, Luxembourg, Luxembourg, September 23-27, 2019,
pages 606–624, 2019.
OWASP. OWASP Testing Guide. https://www.owasp.org/index.php/ OWASP Testing Guide v4 Table of Contents, 2016.
Jason Bau, Elie Bursztein, Divij Gupta, and John C. Mitchell. State of the art: Automated black-box web application susceptibilitytesting. In 31st IEEE Symposium on Security and Privacy, S&P 2010, 16-19 May 2010,
Berkeley/Oakland, California, USA, pages 332–345, 2010. [7] Adam Doup e´, Marco Cova, and Giovanni Vigna. Why johnny can’t pentest: An analysis of black-box web susceptibilityscanners. In Detection of Intrusions and Malware, and SusceptibilityAssessment, 7th International Conference, DIMVA 2010, Bonn, Germany, July 8-9, 2010. [8] Proceedings, pages 111–131, 2010.
Adam Barth, Collin Jackson, and John C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, Alexandria, Virginia, USA, October 27-31, 2008, pages 75–88, 2008.
Mehryar Mohri, Afshin Rostamizadeh, and Ameet Talwalkar. Founda- tions of Machine Learning. The MIT Press, 2012.
Michael W. Kattan, Dennis A. Adams, and Michael S. Parks. A comparison of machine learning with human judgment. Journal of Management Information Systems, 9(4):37–57, March 1993
