Abstract
Session cookies constitute one of the main attack targets against client authentication on the Web. To counter that, modern web browsers implement native cookie protection mechanisms based on the Secure and HttpOnly flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the present paper we provide the first such result, with a mechanized proof of noninterference assessing the robustness of the Secure and HttpOnly cookie flags against both web and network attacks. We then develop CookiExt, a browser extension that provides client-side protection against session hijacking based on appropriate flagging of session cookies and automatic redirection over HTTPS for HTTP requests carrying such cookies. Our solution improves over existing client-side defenses by combining protection against both web and network attacks, while at the same time being designed so as to minimise its effects on the user’s browsing experience.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
The Coq proof assistant, http://coq.inria.fr/
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J.C., Song, D.: Towards a formal foundation of web security. In: IEEE Computer Security Foundations Symposium (CSF), pp. 290–304 (2010)
Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: IEEE Computer Security Foundations Symposium (CSF), pp. 247–262 (2012)
Bielova, N., Devriese, D., Massacci, F., Piessens, F.: Reactive non-interference for a browser model. In: IEEE International Conference on Network and System Security (NSS), pp. 97–104 (2011)
Bohannon, A.: Foundations of webscript security. PhD thesis, University of Pennsylvania (2012)
Bohannon, A., Pierce, B.C.: Featherweight Firefox: formalizing the core of a web browser. In: USENIX Conference on Web Application Development (WebApps), Berkeley, CA, USA, pp. 1–12. USENIX Association (2010)
Bohannon, A., Pierce, B.C., Sjöberg, V., Weirich, S., Zdancewic, S.: Reactive noninterference. In: ACM Conference on Computer and Communications Security (CCS), pp. 79–90 (2009)
Bugliesi, M., Calzavara, S., Focardi, R., Tempesta, M., Khan, W.: Formalizing and enforcing web session integrity (submitted)
Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: Preventing session hijacking attacks with stateless authentication tokens. ACM Transactions on Internet Technology 12(1), 1 (2012)
Fogie, S., Grossman, J., Hansen, R., Rager, A., Petkov, P.D.: XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress Publishing (2007)
Friedman, W.F.: The index of coincidence and its applications to cryptanalysis. Cryptographic Series (1922)
Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: ACM Conference on Computer and Communications Security (CCS), pp. 748–759 (2012)
Jackson, C., Barth, A.: Forcehttps: protecting high-security web sites from network attacks. In: International Conference on World Wide Web (WWW), pp. 525–534 (2008)
Johns, M., Winter, J.: RequestRodeo: client side protection against session riding. In: Proceedings of the OWASP Europe Conference, pp. 5–17 (2006)
Kirda, E., Krügel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: ACM Symposium on Applied Computing (SAC), pp. 330–337 (2006)
Liu, A.X., Kovacs, J.M., Gouda, M.G.: A secure cookie scheme. Computer Networks 56(6), 1723–1730 (2012)
Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: Lightweight protection against session hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011)
Nikiforakis, N., Younan, Y., Joosen, W.: HProxy: Client-side detection of SSL stripping attacks. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 200–218. Springer, Heidelberg (2010)
De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and precise client-side protection against CSRF attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011)
De Ryck, P., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W.: Serene: Self-reliant client-side protection against session fixation. In: Göschka, K.M., Haridi, S. (eds.) DAIS 2012. LNCS, vol. 7272, pp. 59–72. Springer, Heidelberg (2012)
Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based applications automatically. In: ACM Conference on Computer and Communications Security (CCS), pp. 615–626 (2011)
Tor Project and the Electronic Frontier Foundation. HTTPS Everywhere. Available for download at, https://www.eff.org/https-everywhere
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Bugliesi, M., Calzavara, S., Focardi, R., Khan, W. (2014). Automatic and Robust Client-Side Protection for Cookie-Based Sessions. In: Jürjens, J., Piessens, F., Bielova, N. (eds) Engineering Secure Software and Systems. ESSoS 2014. Lecture Notes in Computer Science, vol 8364. Springer, Cham. https://doi.org/10.1007/978-3-319-04897-0_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-04897-0_11
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04896-3
Online ISBN: 978-3-319-04897-0
eBook Packages: Computer ScienceComputer Science (R0)