Abstract
In this article, we survey the most common attacks against web sessions, that is, attacks that target honest web browser users establishing an authenticated session with a trusted web application. We then review existing security solutions that prevent or mitigate the different attacks by evaluating them along four different axes: protection, usability, compatibility, and ease of deployment. We also assess several defensive solutions that aim at providing robust safeguards against multiple attacks. Based on this survey, we identify five guidelines that, to different extents, have been taken into account by the designers of the different proposals we reviewed. We believe that these guidelines can be helpful for the development of innovative solutions approaching web security in a more systematic and comprehensive way.
- Devdatta Akhawe, Adam Barth, Peifung E. Lam, John C. Mitchell, and Dawn Song. 2010. Towards a formal foundation of web security. In Proceedings of the 23rd IEEE Computer Security Foundations Symposium (CSF’10). 290--304. Google ScholarDigital Library
- Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos. 2009. Code-injection attacks in browsers supporting policies. In Proceedings of the 2009 IEEE Web 2.0 Security and Privacy Workshop.Google Scholar
- Chetan Bansal, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, and Sergio Maffeis. 2013. Keys to the cloud: Formal analysis and concrete attacks on encrypted web storage. In Proceedings of the 2nd International Conference on Principles of Security and Trust, POST 2013. 126--146. Google ScholarDigital Library
- Adam Barth. 2011a. HTTP State Management Mechanism. Retrieved from http://tools.ietf.org/html/rfc6265.Google Scholar
- Adam Barth. 2011b. The Web Origin Concept. Retrieved from http://tools.ietf.org/html/rfc6454.Google Scholar
- Adam Barth, Collin Jackson, and John C. Mitchell. 2008. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). 75--88. Google ScholarDigital Library
- Daniel Bates, Adam Barth, and Collin Jackson. 2010. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the 19th International Conference on World Wide Web (WWW’10). 91--100. Google ScholarDigital Library
- Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Michael Stroucken, and Yuan Tian. 2015. Run-time monitoring and formal analysis of information flows in chromium. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium (NDSS’15). Google ScholarCross Ref
- Nataliia Bielova. 2013. Survey on javascript security policies and their enforcement mechanisms in a web browser. J. Logic Algebr. Program. 82, 8 (2013), 243--262. Google ScholarCross Ref
- Prithvi Bisht and V. N. Venkatakrishnan. 2008. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08). 23--43. Google ScholarDigital Library
- Aaron Bohannon and Benjamin C. Pierce. 2010. Featherweight firefox: Formalizing the core of a web browser. In USENIX Conference on Web Application Development (WebApps’10). Google ScholarDigital Library
- Andrew Bortz, Adam Barth, and Alexei Czeskis. 2011. Origin cookies: Session integrity for web applications. In Web 2.0 Security 8 Privacy Workshop (W2SP’11).Google Scholar
- Michele Bugliesi, Stefano Calzavara, and Riccardo Focardi. 2017. Formal methods for web security. Journal of Logical and Algebraic Methods in Programming (2017). To appear. Google ScholarCross Ref
- Michele Bugliesi, Stefano Calzavara, Riccardo Focardi, and Wilayat Khan. 2015. CookiExt: Patching the browser against session hijacking attacks. J. Comput. Secur. 23, 4 (2015), 509--537. Google ScholarCross Ref
- Michele Bugliesi, Stefano Calzavara, Riccardo Focardi, Wilayat Khan, and Mauro Tempesta. 2014. Provably sound browser-based enforcement of web session integrity. In Proceedings of the IEEE 27th Computer Security Foundations Symposium (CSF’14). 366--380. Google ScholarDigital Library
- Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. 2016. Content security problems? Evaluating the effectiveness of content security policy in the wild. In Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS’16). 1365--1375. Google ScholarDigital Library
- Stefano Calzavara, Gabriele Tolomei, Michele Bugliesi, and Salvatore Orlando. 2014. Quite a mess in my cookie jar!: Leveraging machine learning to protect web authentication. In Proceedings of the 23rd International World Wide Web Conference (WWW’14). 189--200. Google ScholarDigital Library
- Eric Yawei Chen, Jason Bau, Charles Reis, Adam Barth, and Collin Jackson. 2011. App isolation: Get the security of multiple browsers with just one. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). 227--238. Google ScholarDigital Library
- Alexei Czeskis, Alexander Moshchuk, Tadayoshi Kohno, and Helen J. Wang. 2013. Lightweight server support for browser-based CSRF protection. In Proceedings of the 22nd International World Wide Web Conference (WWW’13). 273--284. Google ScholarDigital Library
- Italo Dacosta, Saurabh Chakradeo, Mustaque Ahamad, and Patrick Traynor. 2012. One-time cookies: Preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. 12, 1 (2012), 1--24. Google ScholarDigital Library
- Dominique Devriese and Frank Piessens. 2010. Noninterference through secure multi-execution. In Proceedings of the 31st IEEE Symposium on Security and Privacy (S8P’10). 109--124. Google ScholarDigital Library
- Michael Dietz, Alexei Czeskis, Dirk Balfanz, and Dan S. Wallach. 2012. Origin-bound certificates: A fresh approach to strong client authentication for the web. In Proceedings of the 21th USENIX Security Symposium (USENIX’12). 317--331. Google ScholarDigital Library
- ECMA. 2011. ECMAScript Language Specification. Retrieved from http://www.ecma-international.org/ecma-262/5.1/.Google Scholar
- EFF. 2011. HTTPS Everywhere. Retrieved from https://www.eff.org/https-everywhere.Google Scholar
- Sascha Fahl, Yasemin Acar, Henning Perl, and Matthew Smith. 2014. Why eve and mallory (also) love webmasters: A study on the root causes of SSL misconfigurations. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS’14). 507--512. Google ScholarDigital Library
- Daniel Fett, Ralf Küsters, and Guido Schmitz. 2014. An expressive model for the web infrastructure: Definition and application to the browser ID SSO system. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S8P’14). 673--688. Google ScholarDigital Library
- Willem De Groef, Dominique Devriese, Nick Nikiforakis, and Frank Piessens. 2012. FlowFox: A web browser with flexible and precise information flow control. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS’12). 748--759. Google ScholarDigital Library
- Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. 2009. Using static analysis for ajax intrusion detection. In Proceedings of the 18th International Conference on World Wide Web (WWW’09). 561--570. Google ScholarDigital Library
- Matthew Van Gundy and Hao Chen. 2012. Noncespaces: Using randomization to defeat cross-site scripting attacks. Comput. Secur. 31, 4 (2012), 612--628. Google ScholarDigital Library
- Per A. Hallgren, Daniel T. Mauritzson, and Andrei Sabelfeld. 2013. GlassTube: A lightweight approach to web application integrity. In Proceedings of the 2013 ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS’13). 71--82. Google ScholarDigital Library
- Norman Hardy. 1988. The confused deputy (or why capabilities might have been invented). Operat. Syst. Rev. 22, 4 (1988), 36--38. Google ScholarDigital Library
- Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld. 2014. JSFlow: Tracking information flow in javascript and its APIs. In Proceedings of the 29th Symposium on Applied Computing (SAC’14). 1663--1671. Google ScholarDigital Library
- Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, and Jörg Schwenk. 2012. Scriptless attacks: Stealing the pie without touching the sill. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS’12). 760--771. Google ScholarDigital Library
- Jeff Hodges, Collin Jackson, and Adam Barth. 2012. HTTP Strict Transport Security (HSTS). Retrieved from http://tools.ietf.org/html/rfc6797.Google Scholar
- Bob Ippolito. 2015. JSONP. Retrieved from http://json-p.org/.Google Scholar
- Collin Jackson and Adam Barth. 2008. ForceHTTPS: Protecting high-security web sites from network attacks. In Proceedings of the 17th International Conference on World Wide Web (WWW’08). 525--534. Google ScholarDigital Library
- Karthick Jayaraman, Wenliang Du, Balamurugan Rajagopalan, and Steve J. Chapin. 2010. ESCUDO: A fine-grained protection model for web browsers. In Proceedings of the 2010 International Conference on Distributed Computing Systems (ICDCS’10). 231--240. Google ScholarDigital Library
- Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th International Conference on World Wide Web (WWW’07). 601--610. Google ScholarDigital Library
- Martin Johns, Bastian Braun, Michael Schrank, and Joachim Posegga. 2011. Reliable protection against session fixation attacks. In Proceedings of the 26th ACM Symposium on Applied Computing (SAC 2’11). 1531--1537. Google ScholarDigital Library
- Martin Johns, Sebastian Lekies, Bastian Braun, and Benjamin Flesch. 2012. BetterAuth: Web authentication revisited. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC’12). 169--178. Google ScholarDigital Library
- Martin Johns, Ben Stock, and Sebastian Lekies. 2014. A tale of the weaknesses of current client-side XSS filtering. In Blackhat USA 2014.Google Scholar
- Martin Johns and Justus Winter. 2006. RequestRodeo: Client side protection against session riding. In Proceedings of the OWASP Europe 2006 Conference. 5--17.Google Scholar
- Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006. Preventing cross site request forgery attacks. In Proceedings of the 2nd International Conference on Security and Privacy in Communication Networks (SecureComm’06). 1--10. Google ScholarCross Ref
- Wilayat Khan, Stefano Calzavara, Michele Bugliesi, Willem De Groef, and Frank Piessens. 2014. Client side web session integrity as a non-interference property. In Proceedings of the 10th International Conference on Information Systems Security (ICISS’14). 89--108. Google ScholarCross Ref
- Engin Kirda, Christopher Krügel, Giovanni Vigna, and Nenad Jovanovic. 2006. Noxes: A client-side solution for mitigating cross-site scripting attacks. In Proceedings of the 2006 ACM Symposium on Applied Computing (SAC’06). 330--337. Google ScholarDigital Library
- Mike Ter Louw, Phu H. Phung, Rohini Krishnamurti, and Venkat N. Venkatakrishnan. 2013. SafeScript: Javascript transformation for policy enforcement. In Proceedings of the 18th Nordic Conference on Secure IT Systems (NordSec’13). 67--83. Google ScholarDigital Library
- Mike Ter Louw and V. N. Venkatakrishnan. 2009. Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In Proceedings of the 30th IEEE Symposium on Security and Privacy (S8P’09). 331--346. Google ScholarDigital Library
- Ziqing Mao, Ninghui Li, and Ian Molloy. 2009. Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In Proceedings of the 13th International Conference on Financial Cryptography and Data Security (FC’09). 238--255. Google ScholarDigital Library
- Giorgio Maone. 2004. The NoScript Firefox Extension. Retrieved from http://noscript.net/.Google Scholar
- Moxie Marlinspike. 2009. New tricks for defeating SSL in practice. In BlackHat DC 2009.Google Scholar
- Leo A. Meyerovich and V. Benjamin Livshits. 2010. ConScript: Specifying and enforcing fine-grained security policies for javascript in the browser. In Proceedings of the 31st IEEE Symposium on Security and Privacy (S8P’10). 481--496. Google ScholarDigital Library
- Mozilla. 2015. Same-Origin Policy. Retrieved from http://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy.Google Scholar
- Yacin Nadji, Prateek Saxena, and Dawn Song. 2009. Document structure integrity: A robust basis for cross-site scripting defense. In Proceedings of the Network and Distributed System Security Symposium (NDSS’09).Google Scholar
- Eduardo Vela Nava and David Lindsay. 2009. Our favorite XSS filters and how to attack them. In Blackhat USA 2009.Google Scholar
- Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2012. You are what you include: Large-scale evaluation of remote javascript inclusions. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS’12). 736--747. Google ScholarDigital Library
- Nick Nikiforakis, Wannes Meert, Yves Younan, Martin Johns, and Wouter Joosen. 2011. SessionShield: Lightweight protection against session hijacking. In Proceedings of the 3rd International Symposium on Engineering Secure Software and Systems (ESSoS’11). 87--100. Google ScholarDigital Library
- Nick Nikiforakis, Yves Younan, and Wouter Joosen. 2010. HProxy: Client-side detection of SSL stripping attacks. In Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’10). 200--218. Google ScholarDigital Library
- Terri Oda, Glenn Wurster, Paul C. van Oorschot, and Anil Somayaji. 2008. SOMA: Mutual approval for included content in web pages. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). 89--98. Google ScholarDigital Library
- OWASP. 2013. Top 10 Security Threats. Retrieved from https://www.owasp.org/index.php/Top_10_2013-Top_10.Google Scholar
- OWASP. 2014. HttpOnly. Retrieved from https://www.owasp.org/index.php/HttpOnly.Google Scholar
- Phu H. Phung, David Sands, and Andrey Chudnov. 2009. Lightweight self-protecting javascript. In Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security (ASIA CCS’09). 47--60. Google ScholarDigital Library
- Tadeusz Pietraszek and Chris Vanden Berghe. 2005. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID’05). 124--145. Google ScholarDigital Library
- Eric Rescorla. 2000. HTTP Over TLS. Retrieved from https://tools.ietf.org/html/rfc2818. Google ScholarDigital Library
- Gregor Richards, Christian Hammer, Brian Burg, and Jan Vitek. 2011. The eval that men do - A large-scale study of the use of eval in javascript applications. In Proceedings of the 25th European Conference on Object-Oriented Programming (ECOOP 2’11). 52--78. Google ScholarDigital Library
- David Ross. 2008. IE 8 XSS Filter Architecture/Implementation. Retrieved from http://blogs.technet.com/b/srd/archive/2008/08/19/ie-8-xss-filter-archi tecture-implementation.aspx.Google Scholar
- Philippe De Ryck, Lieven Desmet, Thomas Heyman, Frank Piessens, and Wouter Joosen. 2010. CsFire: Transparent client-side mitigation of malicious cross-domain requests. In Proceedings of Engineering Secure Software and Systems, Second International Symposium (ESSoS’10). 18--34. Google ScholarDigital Library
- Philippe De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens. 2011. Automatic and precise client-side protection against CSRF attacks. In Proceedings of the 16th European Symposium on Research in Computer Security (ESORICS’11). 100--116. Google ScholarDigital Library
- Philippe De Ryck, Nick Nikiforakis, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2012. Serene: Self-reliant client-side protection against session fixation. In Proceedings of the 2012 Distributed Applications and Interoperable Systems - 12th IFIP WG 6.1 International Conference (DAIS’12). 59--72. Google ScholarDigital Library
- Jose Selvi. 2014. Bypassing HTTP strict transport security. In BlackHat DC 2014.Google Scholar
- Kapil Singh, Helen J. Wang, Alexander Moshchuk, Collin Jackson, and Wenke Lee. 2012. Practical end-to-end web content integrity. In Proceedings of the 21st World Wide Web Conference 2012 (WWW’12). 659--668. Google ScholarDigital Library
- Deian Stefan, Edward Z. Yang, Petr Marchenko, Alejandro Russo, David Herman, Brad Karp, and David Mazières. 2014. Protecting users by confining javascript with COWL. In Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI’14). 131--146. Google ScholarDigital Library
- Shuo Tang, Nathan Dautenhahn, and Samuel T. King. 2011. Fortifying web-based applications automatically. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). 615--626. Google ScholarDigital Library
- Mary Frances Theofanos and Shari Lawrence Pfleeger. 2011. Guest editors’ introduction: Shouldn’t all security be usable? IEEE Secur. Priv. 9, 2 (2011), 12--17. Google ScholarDigital Library
- Steven Van Acker, Philippe De Ryck, Lieven Desmet, Frank Piessens, and Wouter Joosen. 2011. WebJail: Least-privilege integration of third-party components in web mashups. In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC’11). 307--316. Google ScholarDigital Library
- Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Krügel, and Giovanni Vigna. 2007. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the 14th Network and Distributed System Security Symposium (NDSS’07).Google Scholar
- W3C. 1998. Document Object Model (DOM) Level 1 Specification. Retrieved from http://www.w3.org/TR/REC-DOM-Level-1.Google Scholar
- W3C. 2000. Document Object Model (DOM) Level 2 Core Specification. Retrieved from http://www.w3.org/TR/DOM-Level-2-Core.Google Scholar
- W3C. 2004. Document Object Model (DOM) Level 3 Core Specification. Retrieved from http://www.w3.org/TR/DOM-Level-3-Core.Google Scholar
- W3C. 2012. Content Security Policy. Retrieved from http://www.w3.org/TR/CSP/.Google Scholar
- W3C. 2014a. Cascading Style Sheets. Retrieved from http://www.w3.org/Style/CSS/.Google Scholar
- W3C. 2014b. Cross-Origin Resource Sharing. Retrieved from http://www.w3.org/TR/cors.Google Scholar
- W3C. 2014c. HTML5: A Vocabulary and Associated APIs for HTML and XHTML. Retrieved from http://www.w3.org/TR/html5/.Google Scholar
- W3C. 2015a. Content Security Policy Level 2. Retrieved from https://www.w3.org/TR/CSP2/.Google Scholar
- W3C. 2015b. Mixed Content. Retrieved from http://www.w3.org/TR/2015/CR-mixed-content-20151008/.Google Scholar
- Joel Weinberger, Adam Barth, and Dawn Song. 2011. Towards client-side HTML security policies. In 6th USENIX Workshop on Hot Topics in Security (HotSec’11). Google ScholarDigital Library
- Michael Weissbacher, Tobias Lauinger, and William K. Robertson. 2014. Why is CSP failing? Trends and challenges in CSP adoption. In Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’14). 212--233. Google ScholarCross Ref
- Wei Xu, Sandeep Bhatkar, and R. Sekar. 2006. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium (USENIX’06). 121--136. Google ScholarDigital Library
- Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. 2007. JavaScript instrumentation for browser security. In Proceedings of the 34th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’07). 237--249. Google ScholarDigital Library
- Michal Zalewski. 2011. Postcards From the Post-XSS World. Retrieved from http://lcamtuf.coredump.cx/postxss/.Google Scholar
- Xiaofeng Zheng, Jian Jiang, Jinjin Liang, Hai-Xin Duan, Shuo Chen, Tao Wan, and Nicholas Weaver. 2015. Cookies lack integrity: Real-world implications. In Proceedings of the 24th USENIX Security Symposium (USENIX’15). 707--721. Google ScholarDigital Library
- Yuchen Zhou and David Evans. 2010. Why aren’t HTTP-only cookies more widely deployed? In Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP’10).Google Scholar
Index Terms
- Surviving the Web: A Journey into Web Session Security
Recommendations
Surviving the Web: A Journey into Web Session Security
WWW '18: Companion Proceedings of the The Web Conference 2018We survey the most common attacks against web sessions, i.e., attacks which target honest web browser users establishing an authenticated session with a trusted web application. We then review existing security solutions which prevent or mitigate the ...
One-time cookies: Preventing session hijacking attacks with stateless authentication tokens
HTTP cookies are the de facto mechanism for session authentication in Web applications. However, their inherent security weaknesses allow attacks against the integrity of Web sessions. HTTPS is often recommended to protect cookies, but deploying full ...
Sub-session hijacking on the web: Root causes and prevention
Since cookies act as the only proof of a user identity, web sessions are particularly vulnerable to session hijacking attacks, where the browser run by a given user sends requests associated to the identity of another user. When n > 1 cookies are used to ...
Comments