Skip to main content
SpringerLink
Log in

Attacks on the User’s Session

  • Chapter
  • First Online:
Book cover Primer on Client-Side Web Security

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

Abstract

By attacking the user’s session, an attacker can gain control over an authenticated session, giving him the same level of access to the target application as the victim. Unfortunately, applications often deploy weak authentication systems and insufficiently protect authenticated sessions, thereby enabling these attacks. In this chapter, we cover two attacks that enable the attacker to transfer an authenticated session from the victim’s browser to his own: session-hijacking and Session fixation. In addition, we cover the impact of credential theft, a common attack that gives the attacker valid user credentials, allowing him to impersonate a user to the target application. Attacks on the user’s session are common, and are supported by various tools and attack frameworks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: Fpdetective: dusting the web for fingerprinters. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), pp. 1129–1140 (2013)

    Google Scholar 

  2. Adida, B.: Sessionlock: securing web sessions against eavesdropping. In: Proceedings of the 17th International Conference on World Wide Web (WWW), pp. 517–524 (2008)

    Google Scholar 

  3. Agarwal, N., Renfro, S., Bejar, A.: Yahoo!`s sign-in seal and current anti-phishing solutions. Web 2.0 Security and Privacy (W2SP) (2007)

    Google Scholar 

  4. Apache Software Foundation: Apache tomcat—migration guide. http://tomcat.apache.org/migration-7.html\hrefhttp://tomcat.apache.org/migration-7.htmlhttp://tomcat.apache.org/migration-7.html (2013)

  5. Apple: iphone 5s: About touch ID security. http://support.apple.com/kb/HT5949 (2014)

  6. Berg, D.: How to use your fingerprint reader. http://blog.laptopmag.com/how-to-use-your-fingerprint-reader (2012)

  7. Birgisson, A., Politz, J., \refauErlingsson, \reffn&00DA#;., Taly, A., Vrable, M., Lentczner, M.: Macaroons: cookies with contextual caveats for decentralized authorization in the cloud. In: Proceedings of the 21st Annual Network and Distributed System Security Conference (NDSS) (2014)

    Google Scholar 

  8. Bortz, A., Barth, A., Czeskis, A.: Origin cookies: session integrity for web applications. Web 2.0 Security and Privacy (W2SP) (2011)

    Google Scholar 

  9. Butler, E.: Firesheep. http://codebutler.com/firesheep (2010)

  10. Center, F.H.: Extra security features. https://www.facebook.com/help/413023562082171/ (2014)

  11. Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.C.: Client-side defense against web-based identity theft. In: Proceedings of the 11th Annual Network and Distributed System Security Conference (NDSS) (2004)

    Google Scholar 

  12. Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session-hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. (TOIT) 12(1), 3–1 (2012).

    Article  Google Scholar 

  13. De Ryck, P., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W.: Serene: self-reliant client-side protection against Session fixation. In: Proceedings of the 12th International IFIP Conference on Distributed Applications and Interoperable Systems (DAIS), pp. 59–72 (2012)

    Google Scholar 

  14. De Ryck, P., Nikiforakis, N., Desmet, L., Joosen, W.: Tabshots: client-side detection of tabnabbing attacks. In: Proceedings of the 8th ACM symposium on Information, computer and communications security (ASIACCS), pp. 447–456 (2013)

    Google Scholar 

  15. De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: Eradicating bearer tokens for session management. W3C/IAB workshop on strengthening the internet against pervasive monitoring (STRINT) (2014)

    Google Scholar 

  16. Developers, G.: Safe browsing API. https://developers.google.com/safe-browsing/ (2014)

  17. Dhamija, R., Tygar, J.D.: The battle against phishing: dynamic security skins. In: Proceedings of the 1st Symposium on Usable Privacy and Security (SOUPS), pp. 77–88 (2005)

    Google Scholar 

  18. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the ACM CHI conference on Human Factors in computing systems (CHI), pp. 581–590 (2006)

    Google Scholar 

  19. Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: a fresh approach to strong client authentication for the web. In: Proceedings of the 21st USENIX Security Symposium, pp. 16–16 (2012)

    Google Scholar 

  20. Eckersley, P.: How unique is your web browser? In: Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS), pp. 1–18 (2010)

    Google Scholar 

  21. Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of the ACM CHI conference on Human Factors in computing systems (CHI), pp. 1065–1074 (2008)

    Google Scholar 

  22. EMC: RSA SecurID—Two-Factor Authentication Security Token. http://www.emc.com/security/rsa-securid.htm (2013)

  23. Geier, E.: Prevent wi-fi eavesdroppers from hijacking your accounts. http://www.ciscopress.com/articles/article.asp?p=1750204 (2011)

  24. Google: Trusted computers. https://support.google.com/accounts/answer/2544838?hl=en (2014)

  25. Hallam-Baker, P.: Http integrity header. IETF Internet Draft (2012)

    Google Scholar 

  26. Hallgren, P.A., Mauritzson, D.T., Sabelfeld, A.: Glasstube: a lightweight approach to Web application integrity. In: Proceedings of the 8th ACM SIGPLAN workshop on Programming Languages and Analysis for Security (PLAS), pp. 71–82 (2013)

    Google Scholar 

  27. Hiroshima, N.: How i lost my $50,000 twitter username. https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd (2014)

  28. Honan, M.: How apple and amazon security flaws led to my epic hacking. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ (2012)

  29. Infosecurity: Adobe hacked customers` card details and adobe source code stolen. http://www.infosecurity-magazine.com/view/34872/adobe-hacked-customers-card-details-and-adobe-source-code-stolen (2013)

  30. Infosecurity: 360 million stolen credentials and 1.25 billion email addresses found on the black market. http://www.infosecurity-magazine.com/view/37135/360-million-stolen-credentials-and-125-billion-email-addresses-found-on-the-black-market/ (2014)

  31. Johns, M.: Sessionsafe: implementing xss immune session handling. In: Proceedings of the 11th European Symposium on Research in Computer Security (ESORICS), pp. 444–460 (2006)

    Google Scholar 

  32. Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable protection against Session fixation attacks. In: Proceedings of the 26th ACM Symposium on Applied Computing (SAC), pp. 1531–1537 (2011)

    Google Scholar 

  33. Johns, M., Lekies, S., Braun, B., Flesch, B.: Betterauth: web authentication revisited. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), pp. 169–178 (2012)

    Google Scholar 

  34. Kelly, S.M.: LastPass passwords exposed for some internet explorer users. http://mashable.com/2013/08/19/lastpass-password-bug/ (2013)

  35. Langberg, M.: Aol acts to thwart hackers. http://simson.net/clips/1995/95.SJMN.AOL_Hackers.html\hrefhttp://simson.net/clips/1995/95.SJMN.AOL_Hackers.htmlhttp://simson.net/clips/1995/95.SJMN.AOL_Hackers.html (1995)

  36. LastPass.com: LastPass. https://lastpass.com (2013)

  37. Murdoch, S.J.: Hardened stateless session cookies. Secur. Protoc. XVI, 93–101 (2011)

    Google Scholar 

  38. Nikiforakis, N., Makridakis, A., Athanasopoulos, E., Markatos, E.P.: Alice, what did you do last time? fighting phishing using past activity tests. In: Proceedings of the 3rd European Conference on Computer Network Defense (EC2ND), pp. 107–117 (2009)

    Google Scholar 

  39. Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: Sessionshield: lightweight protection against session-hijacking. In: Proceedings of the 3rd International Symposium on Engineering Secure Software and Systems (ESSoS), pp. 87–100 (2011)

    Google Scholar 

  40. Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (SP) (2013)

    Google Scholar 

  41. OpenDNS: PhishTank. http://www.phishtank.com/ (2014)

  42. Raskin, A.: Tabnabbing: a new type of phishing attack. http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ (2010)

  43. Reisinger, D.: eBay hacked, requests all users change passwords. http://www.cnet.com/news/ebay-hacked-requests-all-users-change-passwords/ (2014)

  44. Roberts, P.F.: 7 ways to beat fingerprint biometrics. http://www.itworld.com/slideshow/120606/7-ways-beat-fingerprint-biometrics-374041 (2013)

  45. Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th USENIX Security Symposium (2005)

    Google Scholar 

  46. Sandler, D.R., Wallach, D.S.: “password” must die! Web 2.0 Security and Privacy (W2SP) (2008)

    Google Scholar 

  47. Siles, R.: Session management cheat sheet—renew the session id after any privilege level change. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change (2013)

  48. Siles, R.: Session management cheat sheet—session id properties. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Properties (2013)

  49. Singh, K., Moshchuk, A., Wang, H.J., Lee, W.: On the incoherencies in web browser access control policies. In: Proceedings of the 31st IEEE Symposium on Security and Privacy (SP), pp. 463–478 (2010)

    Google Scholar 

  50. Wenyin, L., Huang, G., Xiaoyue, L., Min, Z., Deng, X.: Detection of phishing webpages based on visual similarity. Special Interest Tracks and Posters of the 14th International Conference on World Wide Web (WWW), pp. 1060–1061 (2005)

    Google Scholar 

  51. Wichers, D.: Owasp top 10. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (2013)

  52. Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the ACM CHI Conference on Human Factors in Computing Systems (CHI), pp. 601–610 (2006)

    Google Scholar 

  53. Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: a content-based approach to detecting phishing web sites. In: Proceedings of the 16th International Conference on World Wide Web (WWW), pp. 639–648 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. iMinds-DistriNet, KU Leuven, Heverlee, Belgium

    Philippe De Ryck, Lieven Desmet & Frank Piessens

  2. SAP Research, Karlsruhe, Germany

    Martin Johns

Authors
  1. Philippe De Ryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lieven Desmet
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Philippe De Ryck .

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns

About this chapter

Cite this chapter

Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Attacks on the User’s Session. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12226-7_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12225-0

  • Online ISBN: 978-3-319-12226-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation