Professional Documents
Culture Documents
CSRF and XSS Attacks and Defense Mechanisms
CSRF and XSS Attacks and Defense Mechanisms
ISSN No:-2456-2165
Abstract:- Ransacking for just the perfect article is that A small change in code or a little error can cause
the most preferred and is sort of not easy to search out enormous damage. Therefore it must be handled carefully to
supported the present requirements. As technology is allow the best possible results. Many researchers try to
developing day by day, hacking is additionally occurring search out a praiseworthy solution to unravel these
very often. In these recent times, the sector of problems.
cybersecurity is in dire need of prevention from this.
Gone are the times when firewalls were able to protect This papers main objective is to assist everyone who is
your data. According to PT Security, each system contains making a brand new website, learning about cybersecurity
22 vulnerabilities out of which four are of high risk.We or anyone using some online environment in day to day life
need to try to do this ourselves to stop cybercrime. be safe from these pentesters. This paper has been divide
According to Kaspersky Labs, the typical cost of a into many sections. Previous one was the abstract, Section I
cyber-breach is $1.23 million. This paper is on the brink is that the introduction of the subject. Section –II is about
to give the simplest possible ways to assist and help make Related Work which contains the information about the
secure websites. Security of Web application has become topic and some work related to this paper. Section-III is
a vital challenge because of common vulnerabilities about the methodology of how attack is performed. Section-
found during a web application nowadays. Web Security IV is about the implementation and prevention of the attack.
is a crucial step to induce through a number of your This is the most important part of this research paper.
problems for an answer. Once you know that your Section-V is all that says the paper review and conclusion
website is safe, you will be less accentuated. There are on my research. After that are some References to some
lots of attacks accustomed hack a web site like CSRF, other research papers.
XSS, Command Execution, Brute Force and more.I have
thoroughly researched the most general vulnerabilities II. RELATED WORK
and created a live environment to attack similarly to
defend using the newest software. During this paper, I Cross-Site Request Forgery (CSRF) is an attack which
have discussed two such vulnerabilities. They are Cross- compels users to perform unwanted actions on the sites on
Site Request Forgery (CSRF) and Cross-Site Scripting which they logged in currently. [1] Through social
(XSS) and their prevention. engineering, the attacker sends the user some certain links
that are specially crafted for that user, using which an
Keywords:- Web Security, Cyber Security, CSRF, XSS, attacker may trick the users of a web application into
Application Security. executing actions of the attacker choosing. [2] In a
successful CSRF attack, the user unknowingly can do a lot
I. INTRODUCTION of damage such as transferring money, changing passwords,
provide sensitive data. If performed on an administrative
In today’s world of digitalization, web applications, account, it can give the attacker access to the whole network
which generally act as public-facing entities for several and cause widespread damage. Csrf attack exploits the
businesses and corporations, are often the victim of property of the web browser of automatically including the
malicious attacks by hackers who wish to steal customer cookies used by a given domain to any web request. In any
data or whirl their way farther into a corporation’s private event of user unknowingly submitting a request to the
network. There are some web applications available which browser, which automatically collects the cookies of the site
are design to be intentionally vulnerable for training the user is logged in and as a result, it creates a facade that
purposes. What I think is that web applications must be the forged request becomes true. Hence, the attacker now
developed by highly skilled developers who knows the can manipulate that request to perform any action such as
importance of providing security and knows how to handle returning data, modifying data and more.
these vulnerabilities. Several companies understand the use
of the word security in web applications so they use these Cross-Site Scripting (XSS) is a Code injection attack
type of developers and have trained individuals who knows executed on the client-side of a Web App. Here, the attacker
about cyber security. These individuals work to stay an injects some malicious code (script) through your web
account on all the kind of vulnerabilities that exist and to browser. Now, whenever you visit that web server, the
work the way to overcome if any new threat comes. malicious script is executed. It can harm you by stealing
cookies, session tokens, and much more sensitive data. It
can modify the contents of the website. XSS attacks are
5. Gmail ( www.gmail.com ) [5]Let's take a scenario where the user is active on site
A vulnerability in GMail was discovered in January A and the attacker wants the user to change his password
2007 which allowed an attacker to steal a Gmail user's from a malicious site B.
contact list. A distinct issue was discovered in Netflix which
allowed an attacker to alter the name and address on the To achieve this the attacker first needs to get his hands
account, additionally as add movies to the rental queue etc. on the form of site A which changes the password of site A
and create a form of the site B which tricks users on clicking
V. CONCLUSION
REFERENCES
[1]. https://www.netsparker.com/blog/websecurity/csrf-
cross-site-request-forgery/
[2]. “Survey on Cross Site Request Forgery (An Overview
of CSRF)”By Sentamilselvan K, Dr.S.Lakshamana
Pandian
[3]. https://en.wikipedia.org/wiki/Cross-
site_request_forgery
[4]. https://d1wqtxts1xzle7.cloudfront.net/50582893/ICCS
N.
[5]. Hackersploit (YouTube channel)
https://www.youtube.com/channel/UC0ZTPkdxlAKf-
V33tqXwi3Q
[6]. OWASP CSRF https://owasp.org/www-
community/attacks/csrf#:~:text=Cross%2DSite%20Re
quest%20Forgery%20(CSRF)%20is%20an%20attack
%20that,response%20to%20the%20forged%20request
[7]. ”Robust Defenses for Cross Site Request Forgery”
Adam Barth, Collin Jackson, John C.
Mitchell(Stanford University).
[8]. “Assessment of vulnerabilities of web applications of
Bangladesh: A case study of XSS and CSRF” By
TanjilaFarah
[9]. https://cheatsheetseries.owasp.org/cheatsheets/Cross-
Site_Request_Forgery_Prevention_Cheat_Sheet.html
[10]. “A study of effectiveness of CSRF Guard” By Boyan
Chen, PavolZavarsky, Ron Duhl and Dane Lindskog