Abstract
The web is the most wide-spread and de facto distributed platform, with a plethora of valuable applications and services. Building stateful services on the web requires a session mechanism that keeps track of server-side session state, such as authentication data. These sessions are an attractive attacker target, since taking over an authenticated session fully compromises the user’s account. This paper focuses on session fixation, where an attacker forces the user to use the attacker’s session, allowing the attacker to take over the session after authentication.
We present Serene, a self-reliant client-side countermeasure that protects the user from session fixation attacks, regardless of the security provisions – or lack thereof – of a web application. By specifically protecting session identifiers from fixation and not interfering with other cookies or parameters, Serene is able to autonomously protect a large majority of web applications, without being disruptive towards legitimate functionality. We experimentally validate these claims with a large scale study of Alexa’s top one million sites, illustrating both Serene’s large coverage (83.43%) and compatibility (95.55%).
This work incorporates contributions from KU Leuven master students Bram Bonné [4] and Joeri Ledegen. This research is partially funded by the Interuniversity Attraction Poles Programme Belgian State, Belgian Science Policy, IBBT, IWT, the Research Fund KU Leuven and the EU-funded FP7-projects WebSand and NESSoS.
Chapter PDF
Similar content being viewed by others
References
Aggarwal, G., Bursztein, E., Jackson, C., Boneh, D.: An analysis of private browsing modes in modern browsers. In: Proceedings of the 19th USENIX Conference on Security, p. 6. USENIX Association (2010)
Barth, A., Jackson, C., Mitchell, J.: Securing frame communication in browsers. Communications of the ACM 52(6), 83–91 (2009)
BBC. Privacy and cookies (2012), http://www.bbc.co.uk/privacy/
Bonné, B.: Improving session security in web applications, http://research.edm.uhasselt.be/~bbonne/docs/Thesis.pdf
Bortz, A., Barth, A., Czeskis, A.: Origin cookies: Session integrity for web applications (2011)
De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and Precise Client-Side Protection against CSRF Attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011)
Delia Online. Cookies used on delia online (2012), http://www.deliaonline.com/home/delia-online-cookies.html
Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable Protection Against Session Fixation Attacks. In: Proceedings of the 26th ACM Symposium on Applied Computing (SAC) (2011)
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330–337. ACM (2006)
Linhart, C., Klein, A., Heled, R., Orrin, S.: Http request smuggling. Computer Security Journal 22(1), 13 (2006)
Mayer, J., Narayanan, A.: Do not track - universal web tracking opt out (2011), http://donottrack.us/
Microsoft Corporation. Tracking protection lists (2011), http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/
Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: Lightweight Protection against Session Hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011)
Samuel, J.: Requestpolicy 0.5.20 (2011), http://www.requestpolicy.com
Schrank, M., Braun, B., Johns, M., Posegga, J.: Session Fixation - the Forgotten Vulnerability?. In: Proceedings of the 5th Conference on ”Sicherheit, Schutz und Zuverlssigkeit” (GI Sicherheit 2010) (2010)
Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based applications automatically. In: Proceedings of the 8th ACM Conference on Computer and Communications Security (2011)
Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: Adjail: Practical enforcement of confidentiality and integrity policies on web advertisements. In: 19th USENIX Security Symposium (2010)
Williams, J., Wichers, D.: Owasp top 10. OWASP Foundation (2010)
Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of 4th Web 2.0 Security and Privacy Workshop (W2SP 2010) (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
De Ryck, P., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W. (2012). Serene: Self-Reliant Client-Side Protection against Session Fixation. In: Göschka, K.M., Haridi, S. (eds) Distributed Applications and Interoperable Systems. DAIS 2012. Lecture Notes in Computer Science, vol 7272. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30823-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-30823-9_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30822-2
Online ISBN: 978-3-642-30823-9
eBook Packages: Computer ScienceComputer Science (R0)