Abstract
HTTP cookie plays an important role in web applications, as it is used for session authentication without using the login information repeatedly. On the other hand, such technique introduces several security vulnerabilities allowing an attacker, to have the complete control of a session by extracting the corresponding cookie. Therefore, HTTPS is recommended to prevent the exposure of cookie. Unfortunately, cookie can be extracted by different techniques even if HTTPS is employed. This work proposes a simple but effective solution called CookiesWall to prevent session hijacking. CookiesWall is implemented as a client side proxy using Python. The proposed mechanism imposes negligible overhead. False positive and false negative of this mechanism is observed to be much lesser.
Keywords
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cenzic-Inc: Application vulnerability trends report: 2014. https://www.info-point-security.com/sites/default/files/cenzic-vulnerability-report-2014.pdf
Barth, A.: Http state management mechanism. RFC 6265, RFC Editor, April 2011. http://www.rfc-editor.org/rfc/rfc6265.txt
Baloch, R.: Bypassing browser security policies for fun and profit. Black Hat Asia 2016 (2016)
Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 91–100. ACM, New York (2010)
Adida, B.: Sessionlock: securing web sessions against eavesdropping. In: Proceedings of the 17th International Conference on World Wide Web, WWW 2008, pp. 517–524. ACM, New York (2008)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: 2013 IEEE Symposium on Security and Privacy, pp. 541–555, May 2013
Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: lightweight protection against session hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19125-1_7
Why aren’t HTTP-only cookies more widely deployed? In: Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP) 2010 (2010)
Burgers, W., Verdult, R., Eekelen, M.: Prevent session hijacking by binding the session to the cryptographic network credentials. In: Riis Nielson, H., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 33–50. Springer, Heidelberg (2013). doi:10.1007/978-3-642-41488-6_3
Muhammad, A., Tripathi, N.: Evaluation of OpenID-based double-factor authentication for preventing session hijacking in web applications. J. Comput. 7, 2623–2628 (2012)
Google: Top 10,000 English determined by Google’s trillion word corpus. https://github.com/first20hours/google-10000-english
Alexa: Top 1,000,000 website list from alexa. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Tripathy, S., Kumar, P. (2017). CookiesWall: Preventing Session Hijacking Attacks Using Client Side Proxy. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-64701-2_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64700-5
Online ISBN: 978-3-319-64701-2
eBook Packages: Computer ScienceComputer Science (R0)