Online citations, reference lists, and bibliographies.

SessionShield: Lightweight Protection Against Session Hijacking

N. Nikiforakis, Wannes Meert, Yves Younan, M. Johns, W. Joosen
Published 2011 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website's operator. In consequence, if the operator fails to address XSS, the application's users are defenseless against session hijacking attacks. In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website's operator neglects to mitigate existing XSS problems. SessionShield is based on the observation that session identifier values are not used by legitimate clientside scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.
This paper references
10.1007/978-3-642-04444-1
Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, Saint-Malo, France, September 21-23, 2009. Proceedings
Michael Backes (2009)
The Art of Computer Programming
D. E. Knuth (1968)
Why Aren ’ t HTTP-only Cookies More Widely Deployed ?
Yuchen Zhou (2010)
10.1109/SECCOMW.2006.359531
Preventing Cross Site Request Forgery Attacks
N. Jovanovic (2006)
10.1145/1368088.1368112
Static detection of cross-site scripting vulnerabilities
Gary Wassermann (2008)
Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks
W. Xu (2006)
10.1145/1242572.1242654
Defeating script injection attacks with browser-enforced embedded policies
T. Jim (2007)
The impending threat and the best defense. 35. Alexa: The Web information company
Whitehat Security
Static Detection of Security Vulnerabilities in Scripting Languages
Y. Xie (2006)
10.1145/1242572.1242661
A large-scale study of web password habits
D. Florêncio (2007)
Our favorite XSS filters/IDS and how to attack them. Presentation at the BlackHat US conference
Eduardo Vela Nava (2009)
10.1109/SP.2006.29
Pixy: a static analysis tool for detecting Web application vulnerabilities
N. Jovanovic (2006)
10.18293/seke2018
Proceedings of the 30th international conference on Software engineering
W. Schäfer (2008)
IE 8 XSS Filter Architecture/Implementation
David Ross (2008)
Our favorite XSS filters/IDS and how to attack them
Eduardo Vela Nava (2009)
10.1007/978-3-540-73614-1_1
Extensible Web Browser Security
M. Louw (2007)
10.1007/11663812_7
Defending Against Injection Attacks Through Context-Sensitive String Evaluation
T. Pietraszek (2005)
10.1145/1181775.1181797
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
William G. J. Halfond (2006)
Mitigating Cross-site Scripting With HTTP-only Cookies
Microsoft
End-to-End Web Application Security
Úlfar Erlingsson (2007)
Joosen
N Nikiforakis
10.1109/SP.2009.33
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
M. Louw (2009)
Static Enforcement of Web Application Integrity Through Strong Typing
William K. Robertson (2009)
XSSed — Cross Site Scripting (XSS) attacks information and archive
The Art in Computer Programming
A. Hunt (2001)
10.1109/ICSE.2009.5070519
Modular string-sensitive permission analysis with demand-driven precision
E. Geay (2009)
Venkatakrishnan . Extensible Web Browser Security
Mike Ter Louw (2005)
10.1145/1141277.1141357
Noxes: a client-side solution for mitigating cross-site scripting attacks
E. Kirda (2006)
10.1007/978-3-642-14215-4_12
HProxy: Client-Side Detection of SSL Stripping Attacks
Nick Nikiforakis (2010)
Mozilla Foundation. Content Security Policy Specification
(2009)
Markatos , and Thomas Karagiannis . xjs : Practical xss prevention for web application development
Elias Athanasopoulos (2010)
10.1007/0-387-25660-1_20
Automatically Hardening Web Applications Using Precise Tainting
Anh Nguyen-Tuong (2005)
xJS: Practical XSS Prevention for Web Application Development
E. Athanasopoulos (2010)
Finding Security Vulnerabilities in Java Applications with Static Analysis
B. Livshits (2005)
10.1007/978-3-642-19125-1
Engineering Secure Software and Systems
Úlfar Erlingsson (2011)
Antonis Krithinakis, Spyros Ligouras, Evangelos P. Markatos, and Thomas Karagiannis. xjs: Practical xss prevention for web application development
Elias Athanasopoulos (2010)
10.1007/978-3-642-04444-1_6
Tracking Information Flow in Dynamic Tree Structures
A. Russo (2009)
10.1007/978-3-642-11747-3_8
Secure Code Generation for Web Applications
M. Johns (2010)
10.1007/978-3-642-11747-3_2
CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests
Philippe De Ryck (2010)
10.1145/1772690.1772701
Regular expressions considered harmful in client-side XSS filters
Daniel Bates (2010)
NoScript Firefox Extension
Giorgio Maone (2006)
10.1109/SP.2010.36
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
Leo A. Meyerovich (2010)
Requestrodeo: Client Side Protection against Session Riding
F. Piessens (2006)
Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis
P. Vogt (2007)
10.1007/11790754
Detection of Intrusions and Malware, and Vulnerability Assessment
Roland Büschkes (2008)
Web Application Security Consortium. Web Hacking Incident Database
Markatos , and Thomas Karagiannis . xjs : Practical xss prevention for web application development
Vasilis Pappas (2010)
Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
Yacin Nadji (2009)



This paper is referenced by
Analysis and prevention of security threats in web and cryptographic applications
M. Squarcina (2018)
10.1109/csf49147.2020.00016
Language-Based Web Session Integrity
S. Calzavara (2020)
10.1007/978-3-319-12226-7_7
Attacks on the User’s Session
Philippe De Ryck (2014)
10.1007/978-3-319-59870-3_8
JSFfox: Run-Timely Confining JavaScript for Firefox
Weizhong Qiang (2017)
10.1007/978-3-030-29962-0_29
Testing for Integrity Flaws in Web Sessions
Stefano Calzavara (2019)
10.1145/3038923
Surviving the Web
S. Calzavara (2017)
Inference and Learning for Directed Probabilistic Logic Models (Inferentie en leren voor gerichte probabilistische logische modellen)
Wannes Meert (2011)
Critical Vulnerabilities and Client-Side Countermeasures
Nikolaos Nikiforakis (2013)
10.1109/ICCPCCT.2018.8574238
A Survey on Session Management Vulnerabilities in Web Application
Prabhu Namitha (2018)
10.3233/JCS-130495
Secure multi-execution of web scripts: Theory and practice
Willem De Groef (2014)
10.1155/2018/6315039
Assessment of Secure OpenID-Based DAAA Protocol for Avoiding Session Hijacking in Web Applications
Muhammad Bilal (2018)
10.1109/Trustcom.2015.536
ARP Cache Poisoning Mitigation and Forensics Investigation
Heman Awang Mangut (2015)
10.5121/IJNSA.2017.9402
Modelling Cyber Attacks
Farida Chowdhury (2017)
Shepherd: Enabling Automatic and Large-Scale Login Security Studies
H. Jonker (2018)
10.1016/j.infsof.2014.07.010
Current state of research on cross-site scripting (XSS) - A systematic literature review
Isatou Hydara (2015)
Cookie Protection Through Browser Extensions
Alberto Carotti (2016)
10.1145/2382196.2382275
FlowFox: a web browser with flexible and precise information flow control
Willem De Groef (2012)
New Method for Public Key Distribution Based on Social Networks
Krzysztof Podlaski (2015)
Enhancing Privacy in Smart Home Ecosystems Using Cryptographic Primitives and a Decentralized Cloud Entity
Rogier Vrooman (2017)
10.1145/3184558.3186232
Surviving the Web: A Journey into Web Session Security
S. Calzavara (2018)
10.1007/978-3-642-29420-4_2
Better Security and Privacy for Web Browsers: A Survey of Techniques, and a New Implementation
Willem De Groef (2011)
Web Session Security: Formal Verification, Client-Side Enforcement and Experimental Analysis
Wilayat Khan (2015)
10.1007/978-3-642-30823-9_5
Serene: Self-Reliant Client-Side Protection against Session Fixation
P. D. Ryck (2012)
Understanding Machine Learning Effectiveness to Protect Web Authentication
Andrea Casini (2014)
10.1007/978-3-319-47063-4_5
Secure Data Exchange Based on Social Networks Public Key Distribution
Krzysztof Podlaski (2015)
10.1145/2420950.2420977
BetterAuth: web authentication revisited
Martin Johns (2012)
Improving the security of session management in web applications
Philippe De Ryck (2013)
10.1007/978-3-642-33338-5_13
DEMACRO: Defense against Malicious Cross-Domain Requests
Sebastian Lekies (2012)
10.1145/2414456.2414462
FlashOver: automated discovery of cross-site scripting vulnerabilities in rich internet applications
S. Acker (2012)
10.1145/3127479.3127482
STYX: a trusted and accelerated hierarchical SSL key management and distribution system for cloud based CDN application
Changzheng Wei (2017)
Eradicating Bearer Tokens for Session Management
P. D. Ryck (2014)
Enforcing Session Integrity in the World "Wild" Web
Mauro Tempesta (2015)
See more
Semantic Scholar Logo Some data provided by SemanticScholar