Skip to main content
SpringerLink
Log in

Prevent Session Hijacking by Binding the Session to the Cryptographic Network Credentials

  • Conference paper
Secure IT Systems (NordSec 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8208))

Included in the following conference series:

Abstract

Many cyber-physical applications are responsible for safety critical or business critical infrastructure. Such applications are often controlled through a web interface. They manage sensitive databases, drive important SCADA systems or represent imperative business processes. A vast majority of such web applications are well-known to be vulnerable to a number of exploits. The focus of this paper is on the vulnerability of session stealing, also called session hijacking. We developed a novel method to prevent session stealing in general. The key idea of the method is binding the securely negotiated communication channel to the application user authentication. For this we introduce a server side reverse proxy which runs independently from the client and server software. The proposed method wraps around the deployed infrastructure and requires no alterations to existing software. This paper discusses the technical encryption issues involved with employing this method. We describe a prototype implementation and motivate the technical choices made. Furthermore, the prototype is validated by applying it to secure the particularly vulnerable Blackboard Learn system, which is a important and critical infrastructural application for our university. We concretely demonstrate how to protect this system against session stealing. Finally, we discuss the application areas of this new method.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Burgers, W.: Session proxy, a prevention method for session hijacking in blackboard. bachelor thesis, Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands. Bachelors Thesis (July 2012)

    Google Scholar 

  2. Chen, C., Mitchell, C.J., Tang, S.: SSL/TLS session-aware user authentication using a GAA bootstrapped key. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 54–68. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  3. Duong, T., Rizzo, J.: Here come the XOR Ninjas. White paper, Netifera (May 2011)

    Google Scholar 

  4. van Eekelen, M., Moussa, R.B., Hubbers, E., Verdult, R.: Blackboard Security Assessment. Technical Report ICIS–R13004, Radboud University Nijmegen (April 2013)

    Google Scholar 

  5. Blackboard Inc. Release notes for blackboard learn 9.0 service pack 7 (9.0.692.0). Behind the Blackboard for System Administrators & Developers (2011)

    Google Scholar 

  6. Blackboard Inc. Release notes for blackboard learn 9.1 service pack 8 (9.1.82223.0). Behind the Blackboard for System Administrators & Developers (2012)

    Google Scholar 

  7. Johns, M.: SessionSafe: Implementing XSS immune session handling. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 444–460. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  8. Kelsey, J.: Compression and information leakage of plaintext. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 263–276. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  9. Kim, H.: Security and Vulnerability of SCADA Systems over IP-Based Wireless Sensor Networks. International Journal of Distributed Sensor Networks, Article ID 268478 (2012)

    Google Scholar 

  10. Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: Lightweight Protection against Session Hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  11. Oppliger, R., Hauser, R., Basin, D.: SSL/TLS session-aware user authentication – or how to effectively thwart the man-in-the-middle. Computer Communications 29(12), 2238–2246 (2006)

    Article  Google Scholar 

  12. Prins, M., Abma, J.: Security research blackboard academic suite Online 24 (2010), https://www.online24.nl/blackboard-security-research

  13. Utakrit, N.: Review of browser extensions, a man-in-the-browser phishing techniques targeting bank customers (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands

    Willem Burgers, Roel Verdult & Marko van Eekelen

  2. School of Computer Science, Open University of The Netherlands, The Netherlands

    Marko van Eekelen

Authors
  1. Willem Burgers
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roel Verdult
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marko van Eekelen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Applied Mathematics and Computer Science, DTU Compute, Technical University of Denmark, Richard Petersens Plades, Building 322, 2800, Lyngby, Denmark

    Hanne Riis Nielson

  2. Institut für Sicherheit in verteilten Anwendungen, Technische Universität Hamburg-Harburg, E-15, Harburger Schloßstraße 20, 21079, Hamburg, Germany

    Dieter Gollmann

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Burgers, W., Verdult, R., van Eekelen, M. (2013). Prevent Session Hijacking by Binding the Session to the Cryptographic Network Credentials. In: Riis Nielson, H., Gollmann, D. (eds) Secure IT Systems. NordSec 2013. Lecture Notes in Computer Science, vol 8208. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41488-6_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41488-6_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41487-9

  • Online ISBN: 978-3-642-41488-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation