Abstract
Web sessions are fragile and can be attacked at many different levels. Classic attacks like session hijacking, session fixation and cross-site request forgery are particularly dangerous for web session security, because they allow the attacker to breach the integrity of honest users’ sessions by forging requests which get authenticated on the victim’s behalf. In this paper, we systematize current countermeasures against these attacks and the shortcomings thereof, which may completely void protection under specific assumptions on the attacker’s capabilities. We then build on our security analysis to introduce black-box testing strategies to discover insecure session implementation practices on existing websites, which we implement in a browser extension called Dredd. Finally, we use Dredd to assess the security of 20 popular websites from Alexa, exposing a number of session integrity flaws.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The browser extension is named after Judge Joseph Dredd, a law enforcement and judicial officer in the dystopian future created by some popular British comic books.
- 2.
Available at https://publicsuffix.org/.
- 3.
Real services often use multiple session cookies, but the discussion abstracts from this point for simplicity. Session cookies have also been called authentication cookies in related work [15].
References
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J.C., Song, D.: Towards a formal foundation of web security. In: Proceedings of the 23rd IEEE Computer Security Foundations Symposium, CSF 2010, pp. 290–304 (2010)
Barth, A.: HTTP state management mechanism (2011). http://tools.ietf.org/html/rfc6265
Barth, A.: The web origin concept (2011). http://tools.ietf.org/html/rfc6454
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88 (2008)
Bau, J., Bursztein, E., Gupta, D., Mitchell, J.C.: State of the art: automated black-box web application vulnerability testing. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, Berleley/Oakland, California, USA, 16–19 May 2010, pp. 332–345 (2010)
Bortz, A., Barth, A., Czeskis, A.: Origin cookies: session integrity for web applications. In: Web 2.0 Security and Privacy Workshop (W2SP 2011) (2011)
Büchler, M., Oudinet, J., Pretschner, A.: SPaCiTE - web application testing engine. In: Fifth IEEE International Conference on Software Testing, Verification and Validation, ICST 2012, Montreal, QC, Canada, 17–21 April 2012, pp. 858–859 (2012)
Bugliesi, M., Calzavara, S., Focardi, R., Khan, W.: CookiExt: patching the browser against session hijacking attacks. J. Comput. Secur. 23(4), 509–537 (2015)
Bugliesi, M., Calzavara, S., Focardi, R., Khan, W., Tempesta, M.: Provably sound browser-based enforcement of web session integrity. In: Proceedings of the IEEE 27th Computer Security Foundations Symposium, CSF 2014, pp. 366–380 (2014)
Calzavara, S., Conti, M., Focardi, R., Rabitti, A., Tolomei, G.: Mitch: a machine learning approach to the black-box detection of CSRF vulnerabilities. In: IEEE European Symposium on Security and Privacy (2019)
Calzavara, S., Focardi, R., Grimm, N., Maffei, M.: Micro-policies for web session security. In: IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, 27 June–1 July 2016, pp. 179–193 (2016)
Calzavara, S., Focardi, R., Nemec, M., Rabitti, A., Squarcina, M.: Postcards from the post-HTTP world: amplification of HTTPS vulnerabilities in the web ecosystem. In: IEEE Symposium on Security and Privacy (2019)
Calzavara, S., Focardi, R., Squarcina, M., Tempesta, M.: Surviving the web: a journey into web session security. ACM Comput. Surv. 50, 13 (2017)
Calzavara, S., Rabitti, A., Bugliesi, M.: Sub-session hijacking on the web: root causes and prevention. J. Comput. Secur. 27(2), 233–257 (2019)
Calzavara, S., Tolomei, G., Casini, A., Bugliesi, M., Orlando, S.: A supervised learning approach to protect client authentication on the web. TWEB 9(3), 15:1–15:30 (2015)
Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. 12(1), 1–24 (2012)
Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: a fresh approach to strong client authentication for the web. In: Proceedings of the 21th USENIX Security Symposium, USENIX 2012, pp. 317–331 (2012)
Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security (HSTS) (2012). http://tools.ietf.org/html/rfc6797
Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable protection against session fixation attacks. In: Proceedings of the 26th ACM Symposium on Applied Computing, SAC 2011, pp. 1531–1537 (2011)
Khan, W., Calzavara, S., Bugliesi, M., De Groef, W., Piessens, F.: Client side web session integrity as a non-interference property. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 89–108. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13841-1_6
Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, 8–11 February 2015 (2015)
Mozilla: Same-Origin Policy (2015). http://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
Mundada, Y., Feamster, N., Krishnamurthy, B.: Half-baked cookies: hardening cookie-based authentication for the modern web. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi’an, China, 30 May–3 June 2016, pp. 675–685 (2016)
Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: lightweight protection against session hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19125-1_7
OWASP: OWASP Testing Guide (2016). https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
Pellegrino, G., Johns, M., Koch, S., Backes, M., Rossow, C.: Deemon: detecting CSRF with dynamic analysis and property graphs. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 1757–1771 (2017)
Peroli, M., Meo, F.D., Viganò, L., Guardini, D.: MobSTer: a model-based security testing framework for web applications. Softw. Test. Verif. Reliab. 28(8), e1685 (2018)
Rocchetto, M., Ochoa, M., Torabi Dashti, M.: Model-based detection of CSRF. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IAICT, vol. 428, pp. 30–43. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55415-5_3
Sivakorn, S., Polakis, I., Keromytis, A.D.: The cracked cookie jar: HTTP cookie hijacking and the exposure of private information. In: IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, 22–26 May 2016, pp. 724–742 (2016)
Sudhodanan, A., Carbone, R., Compagna, L., Dolgin, N., Armando, A., Morelli, U.: Large-scale analysis & detection of authentication cross-site request forgeries. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, 26–28 April 2017, pp. 350–365 (2017)
Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based applications automatically. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 615–626 (2011)
West, M.: Cookie prefixes (2016). https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00
West, M.: Strict secure cookies (2016). https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01
West, M., Goodwin, M.: Same-site cookies (2016). https://tools.ietf.org/id/draft-ietf-httpbis-cookie-same-site-00.txt
Zheng, X., et al.: Cookies lack integrity: real-world implications. In: Proceedings of the 24th USENIX Security Symposium, USENIX 2015, pp. 707–721 (2015)
Acknowledgements
We would like to thank Alessandro Busatto for contributing to an early stage of the project.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Calzavara, S., Rabitti, A., Ragazzo, A., Bugliesi, M. (2019). Testing for Integrity Flaws in Web Sessions. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_29
Download citation
DOI: https://doi.org/10.1007/978-3-030-29962-0_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29961-3
Online ISBN: 978-3-030-29962-0
eBook Packages: Computer ScienceComputer Science (R0)