Online citations, reference lists, and bibliographies.

Prevent Session Hijacking By Binding The Session To The Cryptographic Network Credentials

W. Burgers, Roel Verdult, M. V. Eekelen
Published 2013 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
Many cyber-physical applications are responsible for safety critical or business critical infrastructure. Such applications are often controlled through a web interface. They manage sensitive databases, drive important SCADA systems or represent imperative business processes. A vast majority of such web applications are well-known to be vulnerable to a number of exploits. The focus of this paper is on the vulnerability of session stealing, also called session hijacking. We developed a novel method to prevent session stealing in general. The key idea of the method is binding the securely negotiated communication channel to the application user authentication. For this we introduce a server side reverse proxy which runs independently from the client and server software. The proposed method wraps around the deployed infrastructure and requires no alterations to existing software. This paper discusses the technical encryption issues involved with employing this method. We describe a prototype implementation and motivate the technical choices made. Furthermore, the prototype is validated by applying it to secure the particularly vulnerable Blackboard Learn system, which is a important and critical infrastructural application for our university. We concretely demonstrate how to protect this system against session stealing. Finally, we discuss the application areas of this new method.
This paper references
Release notes for blackboard learn 9.1 service pack 8 (9.1.82223.0)
Blackboard Inc
Session proxy, a prevention method for session hijacking in blackboard. bachelor thesis, Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands
Willem Burgers (2012)
LNCS
N Zannone (2011)
10.1007/3-540-45661-9_21
Compression and Information Leakage of Plaintext
J. Kelsey (2002)
10.1007/11863908
Computer Security - ESORICS 2006, 11th European Symposium on Research in Computer Security, Hamburg, Germany, September 18-20, 2006, Proceedings
D. Gollmann (2006)
10.1007/11863908_27
SessionSafe: Implementing XSS Immune Session Handling
M. Johns (2006)
Security research blackboard academic suite. https://www.online24.nl/blackboard-security-research
Michiel Prins (2010)
10.1155/2012/268478
Security and Vulnerability of SCADA Systems over IP-Based Wireless Sensor Networks
HyungJun Kim (2012)
10.1007/3-540-48519-8
Fast Software Encryption
G. Goos (2001)
Session proxy, a prevention method for session hijacking in blackboard . bachelor thesis, Institute for Computing and Information Sciences
W Burgers (2012)
10.4225/75/57B4164330DF2
Review of Browser Extensions, a Man-in-the-Browser Phishing Techniques Targeting Bank Customers
Nattakant Utakrit (2009)
Security research blackboard academic suite Online
M. Prins (2010)
10.1016/j.comcom.2006.03.004
SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle
R. Oppliger (2006)
Here come the XOR Ninjas
Thai Duong (2011)
10.1007/978-3-642-19125-1
Engineering Secure Software and Systems
Úlfar Erlingsson (2011)
Here come the XOR Ninjas White paper, Netifera Blackboard Security Assessment
T Duong (2011)
10.1007/978-3-642-19125-1_7
SessionShield: Lightweight Protection against Session Hijacking
Nick Nikiforakis (2011)
Blackboard Security Assessment
M.C.J.D. van Eekelen (2013)
Release notes for blackboard learn 9
Blackboard Inc (2011)
Information Security: Theory and Practice
Patel (2008)
Session proxy, a prevention method for session hijacking in blackboard
W. Burgers (2012)
10.1007/978-3-642-21040-2_4
SSL/TLS Session-Aware User Authentication Using a GAA Bootstrapped Key
Chunhua Chen (2011)



This paper is referenced by
Semantic Scholar Logo Some data provided by SemanticScholar