A user-level authentication scheme to mitigate web session-based vulnerabilities

Abstract

After the initial login, web browsers authenticate to web applications by sending the session credentials with every request. Several attacks exist which exploit conceptual deficiencies of this scheme, e.g. Cross-Site Request Forgery, Session Hijacking, Session Fixation, and Clickjacking. We analyze these attacks and identify their common root causes in the browser authentication scheme and the missing user context. These root causes allow the attacker to mislead the browser and misuse the user's session context. Based on this result, we present a user authentication scheme that prohibits the exploitation of the analyzed vulnerabilities. Our mechanism works by binding image data to individual sessions and requiring submission of this data along with security-critical HTTP requests. This way, an attacker's exploitation chances are limited to a theoretically arbitrary low probability to guess the correct session image. © 2012 Springer-Verlag.