Abstract
Web sessions are fragile and can be attacked at many different levels. Classic attacks like session hijacking, session fixation and cross-site request forgery are particularly dangerous for web session security, because they allow the attacker to breach the integrity of honest users’ sessions by forging requests which get authenticated on the victim’s behalf. In this paper, we systematize current countermeasures against these attacks and the shortcomings thereof, which may completely void protection under specific assumptions on the attacker’s capabilities. We then build on our security analysis to introduce black-box testing strategies to discover insecure session implementation practices on existing websites, which we implement in a browser extension called Dredd. Finally, we use Dredd to assess the security of 20 popular websites from Alexa, exposing a number of session integrity flaws.
Author supplied keywords
Cite
CITATION STYLE
Calzavara, S., Rabitti, A., Ragazzo, A., & Bugliesi, M. (2019). Testing for Integrity Flaws in Web Sessions. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 11736 LNCS, pp. 606–624). Springer. https://doi.org/10.1007/978-3-030-29962-0_29
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
