Abstract
After the initial login, web browsers authenticate to web applications by sending the session credentials with every request. Several attacks exist which exploit conceptual deficiencies of this scheme, e.g. Cross-Site Request Forgery, Session Hijacking, Session Fixation, and Clickjacking. We analyze these attacks and identify their common root causes in the browser authentication scheme and the missing user context. These root causes allow the attacker to mislead the browser and misuse the user’s session context. Based on this result, we present a user authentication scheme that prohibits the exploitation of the analyzed vulnerabilities. Our mechanism works by binding image data to individual sessions and requiring submission of this data along with security-critical HTTP requests. This way, an attacker’s exploitation chances are limited to a theoretically arbitrary low probability to guess the correct session image.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Using Hard AI Problems for Security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)
Barth, A., Jackson, C., Mitchell, J.C.: Robust Defenses for Cross-Site Request Forgery. In: CCS 2009 (2009)
Hardy, N.: The Confused Deputy (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 36–38 (1988)
Johns, M.: SessionSafe: Implementing XSS Immune Session Handling. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 444–460. Springer, Heidelberg (2006)
Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable Protection Against Session Fixation Attacks. In: Proceedings of ACM SAC (2011)
Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: OWASP Europe 2006 (May 2006)
Jovanovic, N., Kruegel, C., Kirda, E.: Preventing cross site request forgery attacks. In: Proceedings of Securecomm 2006 (2006)
Kolsek, M.: Session Fixation Vulnerability in Web-based Applications. Whitepaper, Acros Security (December 2002), http://www.acrossecurity.com/papers/session_fixation.pdf
Microsoft. X-Frame-Options (May 20, 2011), http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
Mozilla. X-Frame-Options response header (May 20, 2011), https://developer.mozilla.org/en/the_x-frame-options_response_header
Mozilla. Csp (content security policy). Mozilla Developer Network (March 2009), https://developer.mozilla.org/en/Security/CSP
MSDN. Mitigating Cross-site Scripting With HTTP-only Cookies (June 08, 2012), http://msdn.microsoft.com/en-us/library/ms533046VS.85.aspx
Niemietz, M.: UI Redressing: Attacks and Countermeasures Revisited. In: CONFidence 2011 (2011)
Hansen, R.: Clickjacking (May 20, 2011), http://ha.ckers.org/blog/20080915/clickjacking/
Hansen, R., Grossman, J.: Clickjacking (May 20, 2011), http://www.sectheory.com/clickjacking.htm
Ruderman, J.: The Same Origin Policy (August 2001), https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript (June 08, 2012)
De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)
Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. In: Proceedings of W2SP 2010 (2010)
Schrank, M., Braun, B., Johns, M., Posegga, J.: Session Fixation - the Forgotten Vulnerability? In: Proceedings of GI Sicherheit 2010 (2010)
W3C. HTML5 - The canvas element (September 24, 2011), http://www.w3.org/TR/html5/the-canvas-element.html
W3C. HTML5 - The iframe element (August 29, 2011), http://www.w3.org/TR/html5/the-iframe-element.html#the-iframe-element
Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of W2SP 2010 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Braun, B., Kucher, S., Johns, M., Posegga, J. (2012). A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2012. Lecture Notes in Computer Science, vol 7449. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32287-7_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-32287-7_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32286-0
Online ISBN: 978-3-642-32287-7
eBook Packages: Computer ScienceComputer Science (R0)