Online citations, reference lists, and bibliographies.

SessionShield: Lightweight Protection Against Session Hijacking

N. Nikiforakis, Wannes Meert, Yves Younan, M. Johns, W. Joosen
Published 2011 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website's operator. In consequence, if the operator fails to address XSS, the application's users are defenseless against session hijacking attacks. In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website's operator neglects to mitigate existing XSS problems. SessionShield is based on the observation that session identifier values are not used by legitimate clientside scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.
This paper references
Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, Saint-Malo, France, September 21-23, 2009. Proceedings
Michael Backes (2009)
The Art of Computer Programming
D. E. Knuth (1968)
Why Aren ’ t HTTP-only Cookies More Widely Deployed ?
Yuchen Zhou (2010)
Preventing Cross Site Request Forgery Attacks
N. Jovanovic (2006)
Static detection of cross-site scripting vulnerabilities
Gary Wassermann (2008)
Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks
W. Xu (2006)
Defeating script injection attacks with browser-enforced embedded policies
T. Jim (2007)
The impending threat and the best defense. 35. Alexa: The Web information company
Whitehat Security
Static Detection of Security Vulnerabilities in Scripting Languages
Y. Xie (2006)
A large-scale study of web password habits
D. Florêncio (2007)
Our favorite XSS filters/IDS and how to attack them. Presentation at the BlackHat US conference
Eduardo Vela Nava (2009)
Pixy: a static analysis tool for detecting Web application vulnerabilities
N. Jovanovic (2006)
Proceedings of the 30th international conference on Software engineering
W. Schäfer (2008)
IE 8 XSS Filter Architecture/Implementation
David Ross (2008)
Our favorite XSS filters/IDS and how to attack them
Eduardo Vela Nava (2009)
Extensible Web Browser Security
M. Louw (2007)
Defending Against Injection Attacks Through Context-Sensitive String Evaluation
T. Pietraszek (2005)
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
William G. J. Halfond (2006)
Mitigating Cross-site Scripting With HTTP-only Cookies
End-to-End Web Application Security
Úlfar Erlingsson (2007)
N Nikiforakis
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
M. Louw (2009)
Static Enforcement of Web Application Integrity Through Strong Typing
William K. Robertson (2009)
XSSed — Cross Site Scripting (XSS) attacks information and archive
The Art in Computer Programming
A. Hunt (2001)
Modular string-sensitive permission analysis with demand-driven precision
E. Geay (2009)
Venkatakrishnan . Extensible Web Browser Security
Mike Ter Louw (2005)
Noxes: a client-side solution for mitigating cross-site scripting attacks
E. Kirda (2006)
HProxy: Client-Side Detection of SSL Stripping Attacks
Nick Nikiforakis (2010)
Mozilla Foundation. Content Security Policy Specification
Markatos , and Thomas Karagiannis . xjs : Practical xss prevention for web application development
Elias Athanasopoulos (2010)
Automatically Hardening Web Applications Using Precise Tainting
Anh Nguyen-Tuong (2005)
xJS: Practical XSS Prevention for Web Application Development
E. Athanasopoulos (2010)
Finding Security Vulnerabilities in Java Applications with Static Analysis
B. Livshits (2005)
Engineering Secure Software and Systems
Úlfar Erlingsson (2011)
Antonis Krithinakis, Spyros Ligouras, Evangelos P. Markatos, and Thomas Karagiannis. xjs: Practical xss prevention for web application development
Elias Athanasopoulos (2010)
Tracking Information Flow in Dynamic Tree Structures
A. Russo (2009)
Secure Code Generation for Web Applications
M. Johns (2010)
CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests
Philippe De Ryck (2010)
Regular expressions considered harmful in client-side XSS filters
Daniel Bates (2010)
NoScript Firefox Extension
Giorgio Maone (2006)
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
Leo A. Meyerovich (2010)
Requestrodeo: Client Side Protection against Session Riding
F. Piessens (2006)
Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis
P. Vogt (2007)
Detection of Intrusions and Malware, and Vulnerability Assessment
Roland Büschkes (2008)
Web Application Security Consortium. Web Hacking Incident Database
Markatos , and Thomas Karagiannis . xjs : Practical xss prevention for web application development
Vasilis Pappas (2010)
Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
Yacin Nadji (2009)

This paper is referenced by
Analysis and prevention of security threats in web and cryptographic applications
M. Squarcina (2018)
Language-Based Web Session Integrity
S. Calzavara (2020)
Attacks on the User’s Session
Philippe De Ryck (2014)
JSFfox: Run-Timely Confining JavaScript for Firefox
Weizhong Qiang (2017)
Testing for Integrity Flaws in Web Sessions
Stefano Calzavara (2019)
Surviving the Web
S. Calzavara (2017)
Inference and Learning for Directed Probabilistic Logic Models (Inferentie en leren voor gerichte probabilistische logische modellen)
Wannes Meert (2011)
Critical Vulnerabilities and Client-Side Countermeasures
Nikolaos Nikiforakis (2013)
A Survey on Session Management Vulnerabilities in Web Application
Prabhu Namitha (2018)
Secure multi-execution of web scripts: Theory and practice
Willem De Groef (2014)
Assessment of Secure OpenID-Based DAAA Protocol for Avoiding Session Hijacking in Web Applications
Muhammad Bilal (2018)
ARP Cache Poisoning Mitigation and Forensics Investigation
Heman Awang Mangut (2015)
Modelling Cyber Attacks
Farida Chowdhury (2017)
Shepherd: Enabling Automatic and Large-Scale Login Security Studies
H. Jonker (2018)
Current state of research on cross-site scripting (XSS) - A systematic literature review
Isatou Hydara (2015)
Cookie Protection Through Browser Extensions
Alberto Carotti (2016)
FlowFox: a web browser with flexible and precise information flow control
Willem De Groef (2012)
New Method for Public Key Distribution Based on Social Networks
Krzysztof Podlaski (2015)
Enhancing Privacy in Smart Home Ecosystems Using Cryptographic Primitives and a Decentralized Cloud Entity
Rogier Vrooman (2017)
Surviving the Web: A Journey into Web Session Security
S. Calzavara (2018)
Better Security and Privacy for Web Browsers: A Survey of Techniques, and a New Implementation
Willem De Groef (2011)
Web Session Security: Formal Verification, Client-Side Enforcement and Experimental Analysis
Wilayat Khan (2015)
Serene: Self-Reliant Client-Side Protection against Session Fixation
P. D. Ryck (2012)
Understanding Machine Learning Effectiveness to Protect Web Authentication
Andrea Casini (2014)
Secure Data Exchange Based on Social Networks Public Key Distribution
Krzysztof Podlaski (2015)
BetterAuth: web authentication revisited
Martin Johns (2012)
Improving the security of session management in web applications
Philippe De Ryck (2013)
DEMACRO: Defense against Malicious Cross-Domain Requests
Sebastian Lekies (2012)
FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications
S. Acker (2012)
STYX: a trusted and accelerated hierarchical SSL key management and distribution system for cloud based CDN application
Changzheng Wei (2017)
Eradicating Bearer Tokens for Session Management
P. D. Ryck (2014)
Enforcing Session Integrity in the World "Wild" Web
Mauro Tempesta (2015)
See more
Semantic Scholar Logo Some data provided by SemanticScholar