SessionShield: Lightweight Protection against Session Hijacking

  • Nick Nikiforakis
  • Wannes Meert
  • Yves Younan
  • Martin Johns
  • Wouter Joosen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6542)


The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website’s operator. In consequence, if the operator fails to address XSS, the application’s users are defenseless against session hijacking attacks.

In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website’s operator neglects to mitigate existing XSS problems. SessionShield is based on the observation that session identifier values are not used by legitimate client-side scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.


session hijacking client-side proxy http-only 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P., Karagiannis, T.: xjs: Practical xss prevention for web application development. In: Proceedings of the 1st USENIX Conference on Web Application Development, WebApps 2010 (2010)Google Scholar
  3. 3.
    Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web (WWW 2010). ACM, New York (2010)Google Scholar
  4. 4.
    Web Application Security Consortium. Web Hacking Incident DatabaseGoogle Scholar
  5. 5.
    Erlingsson, U., Livshits, B., Xie, Y.: End-to-end Web Application Security. In: Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS 2007) (May 2007)Google Scholar
  6. 6.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web (WWW 2007). ACM, New York (2007)Google Scholar
  7. 7.
    Geay, E., Pistoia, M., Tateishi, T., Ryder, B., Dolby, J.: Modular String-Sensitive Permission Analysis with Demand-Driven Precision. In: Proceedings of the 31st International Conference on Software Engineering, ICSE 2009 (2009)Google Scholar
  8. 8.
    Halfond, W.G.J., Orso, A., Manolios, P.: Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. In: Proceedings of the 14th ACM Symposium on the Foundations of Software Engineering, FSE (2006)Google Scholar
  9. 9.
    Hisao, S.: Tiny HTTP Proxy in PythonGoogle Scholar
  10. 10.
    Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: Proceedings of the 16th International World Wide Web Conference (WWW 2007) (May 2007)Google Scholar
  11. 11.
    Johns, M., Beyerlein, C., Giesecke, R., Posegga, J.: Secure Code Generation for Web Applications. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 96–113. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. 12.
    Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)Google Scholar
  13. 13.
    Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proceedings of IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks (Securecomm) (2006)Google Scholar
  14. 14.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In: IEEE Symposium on Security and Privacy (May 2006)Google Scholar
  15. 15.
    Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A Client-Side Solution for Mitigating Cross Site Scripting Attacks. In: Security Track of the 21st ACM Symposium on Applied Computing (SAC 2006) (April 2006)Google Scholar
  16. 16.
    Knuth, D.E.: The Art of Computer Programming, vol. 2. Addison-Wesley Publishing Company, Reading (1971)Google Scholar
  17. 17.
    Livshits, B., Lam, M.S.: Finding Security Vulnerabilities in Java Applications Using Static Analysis. In: Proceedings of the 14th USENIX Security Symposium (August 2005)Google Scholar
  18. 18.
    Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible web browser security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Louw, M.T., Venkatakrishnan, V.N.: BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: IEEE Symposium on Security and Privacy (Oakland 2009) (May 2009)Google Scholar
  20. 20.
    Maone, G.: NoScript Firefox Extension (2006)Google Scholar
  21. 21.
    Meyerovich, L.A., Livshits, B.: Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In: Proceedings of 31st IEEE Symposium on Security and Privacy (SP 2010) (2010)Google Scholar
  22. 22.
    Microsoft. Mitigating Cross-site Scripting With HTTP-only CookiesGoogle Scholar
  23. 23.
    Mozilla Foundation. Content Security Policy Specification (2009)Google Scholar
  24. 24.
    Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Network & Distributed System Security Symposium, NDSS 2009 (2009)Google Scholar
  25. 25.
    Nava, E.V., Lindsay, D.: Our favorite XSS filters/IDS and how to attack them. Presentation at the BlackHat US Conference (2009)Google Scholar
  26. 26.
    Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: the 20th IFIP International Information Security Conference (May 2005)Google Scholar
  27. 27.
    Nikiforakis, N., Younan, Y., Joosen, W.: HProxy: Client-side detection of SSL stripping attacks. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 200–218. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  28. 28.
    OWASP Top 10 Web Application Security RisksGoogle Scholar
  29. 29.
    Pietraszek, T., Berghe, C.V.: Defending against Injection Attacks through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  30. 30.
    Robertson, W., Vigna, G.: Static Enforcement of Web Application Integrity Through Strong Typing. In: Proceedings of the USENIX Security Symposium, Montreal, Canada (August 2009)Google Scholar
  31. 31.
    Ross, D.: IE 8 XSS Filter Architecture/Implementation (August 2008)Google Scholar
  32. 32.
    Russo, A., Sabelfeld, A., Chudnov, A.: Tracking Information Flow in Dynamic Tree Structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  33. 33.
    De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  34. 34.
    WhiteHat Security. XSS Worms: The impending threat and the best defenseGoogle Scholar
  35. 35.
    Alexa: The Web information companyGoogle Scholar
  36. 36.
    Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)Google Scholar
  37. 37.
    Wassermann, G., Su, Z.: Static Detection of Cross-Site Scripting Vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, Leipzig, Germany. ACM Press, New York (May 2008)Google Scholar
  38. 38.
    Performance Benchmark - Monitor Page Load Time — WebmetricsGoogle Scholar
  39. 39.
    Xie, Y., Aiken, A.: Static Detection of Security Vulnerabilities in Scripting Languages. In: 15th USENIX Security Symposium (2006)Google Scholar
  40. 40.
    XSSed — Cross Site Scripting (XSS) attacks information and archiveGoogle Scholar
  41. 41.
    Xu, W., Bhatkar, S., Sekar, R.: Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In: 15th USENIX Security Symposium (August 2006)Google Scholar
  42. 42.
    Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of 4th Web 2.0 Security and Privacy Workshop, W2SP 2010 (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Nick Nikiforakis
    • 1
  • Wannes Meert
    • 1
  • Yves Younan
    • 1
  • Martin Johns
    • 2
  • Wouter Joosen
    • 1
  1. 1.IBBT-DistriNetKatholieke Universiteit LeuvenLeuvenBelgium
  2. 2.SAP Research - CEC KarlsruheGermany

Personalised recommendations