Abstract
By attacking the user’s session, an attacker can gain control over an authenticated session, giving him the same level of access to the target application as the victim. Unfortunately, applications often deploy weak authentication systems and insufficiently protect authenticated sessions, thereby enabling these attacks. In this chapter, we cover two attacks that enable the attacker to transfer an authenticated session from the victim’s browser to his own: session-hijacking and Session fixation. In addition, we cover the impact of credential theft, a common attack that gives the attacker valid user credentials, allowing him to impersonate a user to the target application. Attacks on the user’s session are common, and are supported by various tools and attack frameworks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: Fpdetective: dusting the web for fingerprinters. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), pp. 1129–1140 (2013)
Adida, B.: Sessionlock: securing web sessions against eavesdropping. In: Proceedings of the 17th International Conference on World Wide Web (WWW), pp. 517–524 (2008)
Agarwal, N., Renfro, S., Bejar, A.: Yahoo!`s sign-in seal and current anti-phishing solutions. Web 2.0 Security and Privacy (W2SP) (2007)
Apache Software Foundation: Apache tomcat—migration guide. http://tomcat.apache.org/migration-7.html\hrefhttp://tomcat.apache.org/migration-7.htmlhttp://tomcat.apache.org/migration-7.html (2013)
Apple: iphone 5s: About touch ID security. http://support.apple.com/kb/HT5949 (2014)
Berg, D.: How to use your fingerprint reader. http://blog.laptopmag.com/how-to-use-your-fingerprint-reader (2012)
Birgisson, A., Politz, J., \refauErlingsson, \reffn&00DA#;., Taly, A., Vrable, M., Lentczner, M.: Macaroons: cookies with contextual caveats for decentralized authorization in the cloud. In: Proceedings of the 21st Annual Network and Distributed System Security Conference (NDSS) (2014)
Bortz, A., Barth, A., Czeskis, A.: Origin cookies: session integrity for web applications. Web 2.0 Security and Privacy (W2SP) (2011)
Butler, E.: Firesheep. http://codebutler.com/firesheep (2010)
Center, F.H.: Extra security features. https://www.facebook.com/help/413023562082171/ (2014)
Chou, N., Ledesma, R., Teraguchi, Y., Mitchell, J.C.: Client-side defense against web-based identity theft. In: Proceedings of the 11th Annual Network and Distributed System Security Conference (NDSS) (2004)
Dacosta, I., Chakradeo, S., Ahamad, M., Traynor, P.: One-time cookies: preventing session-hijacking attacks with stateless authentication tokens. ACM Trans. Internet Technol. (TOIT) 12(1), 3–1 (2012).
De Ryck, P., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W.: Serene: self-reliant client-side protection against Session fixation. In: Proceedings of the 12th International IFIP Conference on Distributed Applications and Interoperable Systems (DAIS), pp. 59–72 (2012)
De Ryck, P., Nikiforakis, N., Desmet, L., Joosen, W.: Tabshots: client-side detection of tabnabbing attacks. In: Proceedings of the 8th ACM symposium on Information, computer and communications security (ASIACCS), pp. 447–456 (2013)
De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: Eradicating bearer tokens for session management. W3C/IAB workshop on strengthening the internet against pervasive monitoring (STRINT) (2014)
Developers, G.: Safe browsing API. https://developers.google.com/safe-browsing/ (2014)
Dhamija, R., Tygar, J.D.: The battle against phishing: dynamic security skins. In: Proceedings of the 1st Symposium on Usable Privacy and Security (SOUPS), pp. 77–88 (2005)
Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the ACM CHI conference on Human Factors in computing systems (CHI), pp. 581–590 (2006)
Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: a fresh approach to strong client authentication for the web. In: Proceedings of the 21st USENIX Security Symposium, pp. 16–16 (2012)
Eckersley, P.: How unique is your web browser? In: Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS), pp. 1–18 (2010)
Egelman, S., Cranor, L.F., Hong, J.: You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. In: Proceedings of the ACM CHI conference on Human Factors in computing systems (CHI), pp. 1065–1074 (2008)
EMC: RSA SecurID—Two-Factor Authentication Security Token. http://www.emc.com/security/rsa-securid.htm (2013)
Geier, E.: Prevent wi-fi eavesdroppers from hijacking your accounts. http://www.ciscopress.com/articles/article.asp?p=1750204 (2011)
Google: Trusted computers. https://support.google.com/accounts/answer/2544838?hl=en (2014)
Hallam-Baker, P.: Http integrity header. IETF Internet Draft (2012)
Hallgren, P.A., Mauritzson, D.T., Sabelfeld, A.: Glasstube: a lightweight approach to Web application integrity. In: Proceedings of the 8th ACM SIGPLAN workshop on Programming Languages and Analysis for Security (PLAS), pp. 71–82 (2013)
Hiroshima, N.: How i lost my $50,000 twitter username. https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd (2014)
Honan, M.: How apple and amazon security flaws led to my epic hacking. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ (2012)
Infosecurity: Adobe hacked customers` card details and adobe source code stolen. http://www.infosecurity-magazine.com/view/34872/adobe-hacked-customers-card-details-and-adobe-source-code-stolen (2013)
Infosecurity: 360 million stolen credentials and 1.25 billion email addresses found on the black market. http://www.infosecurity-magazine.com/view/37135/360-million-stolen-credentials-and-125-billion-email-addresses-found-on-the-black-market/ (2014)
Johns, M.: Sessionsafe: implementing xss immune session handling. In: Proceedings of the 11th European Symposium on Research in Computer Security (ESORICS), pp. 444–460 (2006)
Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable protection against Session fixation attacks. In: Proceedings of the 26th ACM Symposium on Applied Computing (SAC), pp. 1531–1537 (2011)
Johns, M., Lekies, S., Braun, B., Flesch, B.: Betterauth: web authentication revisited. In: Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC), pp. 169–178 (2012)
Kelly, S.M.: LastPass passwords exposed for some internet explorer users. http://mashable.com/2013/08/19/lastpass-password-bug/ (2013)
Langberg, M.: Aol acts to thwart hackers. http://simson.net/clips/1995/95.SJMN.AOL_Hackers.html\hrefhttp://simson.net/clips/1995/95.SJMN.AOL_Hackers.htmlhttp://simson.net/clips/1995/95.SJMN.AOL_Hackers.html (1995)
LastPass.com: LastPass. https://lastpass.com (2013)
Murdoch, S.J.: Hardened stateless session cookies. Secur. Protoc. XVI, 93–101 (2011)
Nikiforakis, N., Makridakis, A., Athanasopoulos, E., Markatos, E.P.: Alice, what did you do last time? fighting phishing using past activity tests. In: Proceedings of the 3rd European Conference on Computer Network Defense (EC2ND), pp. 107–117 (2009)
Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: Sessionshield: lightweight protection against session-hijacking. In: Proceedings of the 3rd International Symposium on Engineering Secure Software and Systems (ESSoS), pp. 87–100 (2011)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 34th IEEE Symposium on Security and Privacy (SP) (2013)
OpenDNS: PhishTank. http://www.phishtank.com/ (2014)
Raskin, A.: Tabnabbing: a new type of phishing attack. http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ (2010)
Reisinger, D.: eBay hacked, requests all users change passwords. http://www.cnet.com/news/ebay-hacked-requests-all-users-change-passwords/ (2014)
Roberts, P.F.: 7 ways to beat fingerprint biometrics. http://www.itworld.com/slideshow/120606/7-ways-beat-fingerprint-biometrics-374041 (2013)
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th USENIX Security Symposium (2005)
Sandler, D.R., Wallach, D.S.: “password” must die! Web 2.0 Security and Privacy (W2SP) (2008)
Siles, R.: Session management cheat sheet—renew the session id after any privilege level change. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_Change (2013)
Siles, R.: Session management cheat sheet—session id properties. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Properties (2013)
Singh, K., Moshchuk, A., Wang, H.J., Lee, W.: On the incoherencies in web browser access control policies. In: Proceedings of the 31st IEEE Symposium on Security and Privacy (SP), pp. 463–478 (2010)
Wenyin, L., Huang, G., Xiaoyue, L., Min, Z., Deng, X.: Detection of phishing webpages based on visual similarity. Special Interest Tracks and Posters of the 14th International Conference on World Wide Web (WWW), pp. 1060–1061 (2005)
Wichers, D.: Owasp top 10. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (2013)
Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: Proceedings of the ACM CHI Conference on Human Factors in Computing Systems (CHI), pp. 601–610 (2006)
Zhang, Y., Hong, J.I., Cranor, L.F.: Cantina: a content-based approach to detecting phishing web sites. In: Proceedings of the 16th International Conference on World Wide Web (WWW), pp. 639–648 (2007)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns
About this chapter
Cite this chapter
Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Attacks on the User’s Session. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-12226-7_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12225-0
Online ISBN: 978-3-319-12226-7
eBook Packages: Computer ScienceComputer Science (R0)