Web sessions are fragile and can be attacked at many different levels. Classic attacks like session hijacking, session fixation and cross-site request forgery are particularly dangerous for web session security, because they allow the attacker to breach the integrity of honest users’ sessions by forging requests which get authenticated on the victim’s behalf. In this paper, we systematize current countermeasures against these attacks and the shortcomings thereof, which may completely void protection under specific assumptions on the attacker’s capabilities. We then build on our security analysis to introduce black-box testing strategies to discover insecure session implementation practices on existing websites, which we implement in a browser extension called Dredd. Finally, we use Dredd to assess the security of 20 popular websites from Alexa, exposing a number of session integrity flaws.

Testing for Integrity Flaws in Web Sessions

Calzavara S.
;
Rabitti A.;Bugliesi M.
2019-01-01

Abstract

Web sessions are fragile and can be attacked at many different levels. Classic attacks like session hijacking, session fixation and cross-site request forgery are particularly dangerous for web session security, because they allow the attacker to breach the integrity of honest users’ sessions by forging requests which get authenticated on the victim’s behalf. In this paper, we systematize current countermeasures against these attacks and the shortcomings thereof, which may completely void protection under specific assumptions on the attacker’s capabilities. We then build on our security analysis to introduce black-box testing strategies to discover insecure session implementation practices on existing websites, which we implement in a browser extension called Dredd. Finally, we use Dredd to assess the security of 20 popular websites from Alexa, exposing a number of session integrity flaws.
2019
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
File in questo prodotto:
File Dimensione Formato  
esorics19.pdf

non disponibili

Tipologia: Documento in Post-print
Licenza: Accesso chiuso-personale
Dimensione 234.62 kB
Formato Adobe PDF
234.62 kB Adobe PDF   Visualizza/Apri

I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10278/3722895
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 6
  • ???jsp.display-item.citation.isi??? 3
social impact