Skip to main content
SpringerLink
Log in

Testing for Integrity Flaws in Web Sessions

  • Conference paper
  • First Online:
Computer Security – ESORICS 2019 (ESORICS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11736))

Included in the following conference series:

Abstract

Web sessions are fragile and can be attacked at many different levels. Classic attacks like session hijacking, session fixation and cross-site request forgery are particularly dangerous for web session security, because they allow the attacker to breach the integrity of honest users’ sessions by forging requests which get authenticated on the victim’s behalf. In this paper, we systematize current countermeasures against these attacks and the shortcomings thereof, which may completely void protection under specific assumptions on the attacker’s capabilities. We then build on our security analysis to introduce black-box testing strategies to discover insecure session implementation practices on existing websites, which we implement in a browser extension called Dredd. Finally, we use Dredd to assess the security of 20 popular websites from Alexa, exposing a number of session integrity flaws.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The browser extension is named after Judge Joseph Dredd, a law enforcement and judicial officer in the dystopian future created by some popular British comic books.

  2. 2.

    Available at https://publicsuffix.org/.

  3. 3.

    Real services often use multiple session cookies, but the discussion abstracts from this point for simplicity. Session cookies have also been called authentication cookies in related work [15].

References

  1. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J.C., Song, D.: Towards a formal foundation of web security. In: Proceedings of the 23rd IEEE Computer Security Foundations Symposium, CSF 2010, pp. 290–304 (2010)

    Google Scholar 

  2. Barth, A.: HTTP state management mechanism (2011). http://tools.ietf.org/html/rfc6265

  3. Barth, A.: The web origin concept (2011). http://tools.ietf.org/html/rfc6454

  4. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 75–88 (2008)

    Google Scholar 

  5. Bau, J., Bursztein, E., Gupta, D., Mitchell, J.C.: State of the art: automated black-box web application vulnerability testing. In: 31st IEEE Symposium on Security and Privacy, S&P 2010, Berleley/Oakland, California, USA, 16–19 May 2010, pp. 332–345 (2010)

    Google Scholar 

  6. Bortz, A., Barth, A., Czeskis, A.: Origin cookies: session integrity for web applications. In: Web 2.0 Security and Privacy Workshop (W2SP 2011) (2011)

    Google Scholar 

  7. Büchler, M., Oudinet, J., Pretschner, A.: SPaCiTE - web application testing engine. In: Fifth IEEE International Conference on Software Testing, Verification and Validation, ICST 2012, Montreal, QC, Canada, 17–21 April 2012, pp. 858–859 (2012)

    Google Scholar 

  8. Bugliesi, M., Calzavara, S., Focardi, R., Khan, W.: CookiExt: patching the browser against session hijacking attacks. J. Comput. Secur. 23(4), 509–537 (2015)

    Article  Google Scholar 

  9. Bugliesi, M., Calzavara, S., Focardi, R., Khan, W., Tempesta, M.: Provably sound browser-based enforcement of web session integrity. In: Proceedings of the IEEE 27th Computer Security Foundations Symposium, CSF 2014, pp. 366–380 (2014)

    Google Scholar 

  10. Calzavara, S., Conti, M., Focardi, R., Rabitti, A., Tolomei, G.: Mitch: a machine learning approach to the black-box detection of CSRF vulnerabilities. In: IEEE European Symposium on Security and Privacy (2019)

    Google Scholar 

  11. Calzavara, S., Focardi, R., Grimm, N., Maffei, M.: Micro-policies for web session security. In: IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, 27 June–1 July 2016, pp. 179–193 (2016)

    Google Scholar 

  12. Calzavara, S., Focardi, R., Nemec, M., Rabitti, A., Squarcina, M.: Postcards from the post-HTTP world: amplification of HTTPS vulnerabilities in the web ecosystem. In: IEEE Symposium on Security and Privacy (2019)

    Google Scholar 

  13. Calzavara, S., Focardi, R., Squarcina, M., Tempesta, M.: Surviving the web: a journey into web session security. ACM Comput. Surv. 50, 13 (2017)

    Article  Google Scholar 

  14. Calzavara, S., Rabitti, A., Bugliesi, M.: Sub-session hijacking on the web: root causes and prevention. J. Comput. Secur. 27(2), 233–257 (2019)

    Article  Google Scholar 

  15. Calzavara, S., Tolomei, G., Casini, A., Bugliesi, M., Orlando, S.: A supervised learning approach to protect client authentication on the web. TWEB 9(3), 15:1–15:30 (2015)

    Article  Google Scholar 

  16. Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. 12(1), 1–24 (2012)

    Article  Google Scholar 

  17. Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: a fresh approach to strong client authentication for the web. In: Proceedings of the 21th USENIX Security Symposium, USENIX 2012, pp. 317–331 (2012)

    Google Scholar 

  18. Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security (HSTS) (2012). http://tools.ietf.org/html/rfc6797

  19. Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable protection against session fixation attacks. In: Proceedings of the 26th ACM Symposium on Applied Computing, SAC 2011, pp. 1531–1537 (2011)

    Google Scholar 

  20. Khan, W., Calzavara, S., Bugliesi, M., De Groef, W., Piessens, F.: Client side web session integrity as a non-interference property. In: Prakash, A., Shyamasundar, R. (eds.) ICISS 2014. LNCS, vol. 8880, pp. 89–108. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13841-1_6

    Chapter  Google Scholar 

  21. Kranch, M., Bonneau, J.: Upgrading HTTPS in mid-air: an empirical study of strict transport security and key pinning. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, 8–11 February 2015 (2015)

    Google Scholar 

  22. Mozilla: Same-Origin Policy (2015). http://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

  23. Mundada, Y., Feamster, N., Krishnamurthy, B.: Half-baked cookies: hardening cookie-based authentication for the modern web. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi’an, China, 30 May–3 June 2016, pp. 675–685 (2016)

    Google Scholar 

  24. Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: lightweight protection against session hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19125-1_7

    Chapter  Google Scholar 

  25. OWASP: OWASP Testing Guide (2016). https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

  26. Pellegrino, G., Johns, M., Koch, S., Backes, M., Rossow, C.: Deemon: detecting CSRF with dynamic analysis and property graphs. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 1757–1771 (2017)

    Google Scholar 

  27. Peroli, M., Meo, F.D., Viganò, L., Guardini, D.: MobSTer: a model-based security testing framework for web applications. Softw. Test. Verif. Reliab. 28(8), e1685 (2018)

    Article  Google Scholar 

  28. Rocchetto, M., Ochoa, M., Torabi Dashti, M.: Model-based detection of CSRF. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds.) SEC 2014. IAICT, vol. 428, pp. 30–43. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55415-5_3

    Chapter  Google Scholar 

  29. Sivakorn, S., Polakis, I., Keromytis, A.D.: The cracked cookie jar: HTTP cookie hijacking and the exposure of private information. In: IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, 22–26 May 2016, pp. 724–742 (2016)

    Google Scholar 

  30. Sudhodanan, A., Carbone, R., Compagna, L., Dolgin, N., Armando, A., Morelli, U.: Large-scale analysis & detection of authentication cross-site request forgeries. In: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, 26–28 April 2017, pp. 350–365 (2017)

    Google Scholar 

  31. Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based applications automatically. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 615–626 (2011)

    Google Scholar 

  32. West, M.: Cookie prefixes (2016). https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00

  33. West, M.: Strict secure cookies (2016). https://tools.ietf.org/html/draft-ietf-httpbis-cookie-alone-01

  34. West, M., Goodwin, M.: Same-site cookies (2016). https://tools.ietf.org/id/draft-ietf-httpbis-cookie-same-site-00.txt

  35. Zheng, X., et al.: Cookies lack integrity: real-world implications. In: Proceedings of the 24th USENIX Security Symposium, USENIX 2015, pp. 707–721 (2015)

    Google Scholar 

Download references

Acknowledgements

We would like to thank Alessandro Busatto for contributing to an early stage of the project.

Author information

Authors and Affiliations

  1. Università Ca’ Foscari Venezia, Venice, Italy

    Stefano Calzavara, Alvise Rabitti, Alessio Ragazzo & Michele Bugliesi

Authors
  1. Stefano Calzavara
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alvise Rabitti
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alessio Ragazzo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michele Bugliesi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stefano Calzavara .

Editor information

Editors and Affiliations

  1. NEC Corporation, Kawasaki, Japan

    Kazue Sako

  2. University of Surrey, Guildford, UK

    Steve Schneider

  3. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Peter Y. A. Ryan

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Calzavara, S., Rabitti, A., Ragazzo, A., Bugliesi, M. (2019). Testing for Integrity Flaws in Web Sessions. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11736. Springer, Cham. https://doi.org/10.1007/978-3-030-29962-0_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-29962-0_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-29961-3

  • Online ISBN: 978-3-030-29962-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation