Vulnerability Analysis of Online Banking Sites to Cross-Site Scripting and Request Forgery Attacks: A Case Study in East Africa

Abstract

Web applications are prone to several attacks. Two common threats are cross-site scripting attacks and cross site request forgery. With internet banking becoming more popular in East Africa, the level of security that online banking services offer has become an increasing concern. This paper presents an analysis of the safety of these applications used by many unsuspecting customers seeking convenience and determines ways to detect and prevent these attacks from taking place. We assumed that if people with a technical background in IT and information security are vulnerable to CSRF and XSS attacks, the public would be even more vulnerable. Out of 96 users, 35 answered our survey, 53.1% of the respondents said they do not check the URLs of online banking websites they visit to ensure they are not on a phishing site. Secondly, only 36.4% of users considered the security implications of clicking on links in emails or even on banking websites all the time. Based on the interviews done, testing and analysis conducted, there is a clear indication that Internet banking users are vulnerable to XSS and CSRF. Notably, close to 50 % of the Internet banking users we interviewed reported that they do not receive ample tips from the banks regarding security issues to look out for when transacting online. The findings from this research help make recommendations to banks and users to ensure that future online banking transactions are done more securely.