Biblio

Filters: Author is Rabitti, Alvise  [Clear All Filters]
2020-03-09
Calzavara, Stefano, Conti, Mauro, Focardi, Riccardo, Rabitti, Alvise, Tolomei, Gabriele.  2019.  Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities. 2019 IEEE European Symposium on Security and Privacy (EuroS P). :528–543.

Cross-Site Request Forgery (CSRF) is one of the oldest and simplest attacks on the Web, yet it is still effective on many websites and it can lead to severe consequences, such as economic losses and account takeovers. Unfortunately, tools and techniques proposed so far to identify CSRF vulnerabilities either need manual reviewing by human experts or assume the availability of the source code of the web application. In this paper we present Mitch, the first machine learning solution for the black-box detection of CSRF vulnerabilities. At the core of Mitch there is an automated detector of sensitive HTTP requests, i.e., requests which require protection against CSRF for security reasons. We trained the detector using supervised learning techniques on a dataset of 5,828 HTTP requests collected on popular websites, which we make available to other security researchers. Our solution outperforms existing detection heuristics proposed in the literature, allowing us to identify 35 new CSRF vulnerabilities on 20 major websites and 3 previously undetected CSRF vulnerabilities on production software already analyzed using a state-of-the-art tool.

2017-09-11
Calzavara, Stefano, Rabitti, Alvise, Bugliesi, Michele.  2016.  Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. :1365–1375.

Content Security Policy (CSP) is an emerging W3C standard introduced to mitigate the impact of content injection vulnerabilities on websites. We perform a systematic, large-scale analysis of four key aspects that impact on the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. While browser support is largely satisfactory, with the exception of few notable issues, our analysis unveils several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design.