Session management is a particularly delicate component of web applications, which might suffer from a range of severe security issues, including impersonation attacks. Unfortunately, the scope and significance of prior work on web session security in the wild are limited by the complexity of the attack surface and the challenges of automating the login process on existing websites. In the present article, we fill this gap by proposing the first comprehensive, large-scale web session security measurement based on post-login data. Our analysis is comprehensive in that it deals with all key aspects of web sessions, i.e., the login process, the logout process and the authentication cookie handling. Our automated approach analysed an extensive set of session management practices of over 6,000 sites where login was successful and authentication cookies could be automatically detected, uncovering a widespread adoption of insecure practices in the wild.
Measuring Web Session Security at Scale
Calzavara S.;Rabitti A.
2021-01-01
Abstract
Session management is a particularly delicate component of web applications, which might suffer from a range of severe security issues, including impersonation attacks. Unfortunately, the scope and significance of prior work on web session security in the wild are limited by the complexity of the attack surface and the challenges of automating the login process on existing websites. In the present article, we fill this gap by proposing the first comprehensive, large-scale web session security measurement based on post-login data. Our analysis is comprehensive in that it deals with all key aspects of web sessions, i.e., the login process, the logout process and the authentication cookie handling. Our automated approach analysed an extensive set of session management practices of over 6,000 sites where login was successful and authentication cookies could be automatically detected, uncovering a widespread adoption of insecure practices in the wild.File | Dimensione | Formato | |
---|---|---|---|
compsec21.pdf
Open Access dal 02/10/2023
Tipologia:
Documento in Post-print
Licenza:
Creative commons
Dimensione
571.88 kB
Formato
Adobe PDF
|
571.88 kB | Adobe PDF | Visualizza/Apri |
I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.