Skip to main content
SpringerLink
Log in

A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities

  • Conference paper
Book cover Trust, Privacy and Security in Digital Business (TrustBus 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7449))

Abstract

After the initial login, web browsers authenticate to web applications by sending the session credentials with every request. Several attacks exist which exploit conceptual deficiencies of this scheme, e.g. Cross-Site Request Forgery, Session Hijacking, Session Fixation, and Clickjacking. We analyze these attacks and identify their common root causes in the browser authentication scheme and the missing user context. These root causes allow the attacker to mislead the browser and misuse the user’s session context. Based on this result, we present a user authentication scheme that prohibits the exploitation of the analyzed vulnerabilities. Our mechanism works by binding image data to individual sessions and requiring submission of this data along with security-critical HTTP requests. This way, an attacker’s exploitation chances are limited to a theoretically arbitrary low probability to guess the correct session image.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Using Hard AI Problems for Security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  2. Barth, A., Jackson, C., Mitchell, J.C.: Robust Defenses for Cross-Site Request Forgery. In: CCS 2009 (2009)

    Google Scholar 

  3. Hardy, N.: The Confused Deputy (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 36–38 (1988)

    Article  Google Scholar 

  4. Johns, M.: SessionSafe: Implementing XSS Immune Session Handling. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 444–460. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  5. Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable Protection Against Session Fixation Attacks. In: Proceedings of ACM SAC (2011)

    Google Scholar 

  6. Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: OWASP Europe 2006 (May 2006)

    Google Scholar 

  7. Jovanovic, N., Kruegel, C., Kirda, E.: Preventing cross site request forgery attacks. In: Proceedings of Securecomm 2006 (2006)

    Google Scholar 

  8. Kolsek, M.: Session Fixation Vulnerability in Web-based Applications. Whitepaper, Acros Security (December 2002), http://www.acrossecurity.com/papers/session_fixation.pdf

  9. Microsoft. X-Frame-Options (May 20, 2011), http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

  10. Mozilla. X-Frame-Options response header (May 20, 2011), https://developer.mozilla.org/en/the_x-frame-options_response_header

  11. Mozilla. Csp (content security policy). Mozilla Developer Network (March 2009), https://developer.mozilla.org/en/Security/CSP

  12. MSDN. Mitigating Cross-site Scripting With HTTP-only Cookies (June 08, 2012), http://msdn.microsoft.com/en-us/library/ms533046VS.85.aspx

  13. Niemietz, M.: UI Redressing: Attacks and Countermeasures Revisited. In: CONFidence 2011 (2011)

    Google Scholar 

  14. Hansen, R.: Clickjacking (May 20, 2011), http://ha.ckers.org/blog/20080915/clickjacking/

  15. Hansen, R., Grossman, J.: Clickjacking (May 20, 2011), http://www.sectheory.com/clickjacking.htm

  16. Ruderman, J.: The Same Origin Policy (August 2001), https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript (June 08, 2012)

  17. De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  18. Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. In: Proceedings of W2SP 2010 (2010)

    Google Scholar 

  19. Schrank, M., Braun, B., Johns, M., Posegga, J.: Session Fixation - the Forgotten Vulnerability? In: Proceedings of GI Sicherheit 2010 (2010)

    Google Scholar 

  20. W3C. HTML5 - The canvas element (September 24, 2011), http://www.w3.org/TR/html5/the-canvas-element.html

  21. W3C. HTML5 - The iframe element (August 29, 2011), http://www.w3.org/TR/html5/the-iframe-element.html#the-iframe-element

  22. Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of W2SP 2010 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute of IT-Security and Security Law (ISL), University of Passau, Germany

    Bastian Braun, Stefan Kucher & Joachim Posegga

  2. SAP Research, Germany

    Martin Johns

Authors
  1. Bastian Braun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Kucher
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Joachim Posegga
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Karlstad University, Universitetsgatan 2, 65188, Karlstad, Sweden

    Simone Fischer-Hübner

  2. Department of Digital Systems, University of Piraeus, 80 Karaoli and Dimitriou Str, 18532, Piraeus, Greece

    Sokratis Katsikas

  3. Department of IT, Engineering and Environment, University of South Australia, Mawson Lakes Campus, 5001, Adelaide, SA, Australia

    Gerald Quirchmayr

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Braun, B., Kucher, S., Johns, M., Posegga, J. (2012). A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2012. Lecture Notes in Computer Science, vol 7449. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32287-7_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32287-7_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32286-0

  • Online ISBN: 978-3-642-32287-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation