Online citations, reference lists, and bibliographies.
← Back to Search

Surviving The Web

S. Calzavara, R. Focardi, M. Squarcina, Mauro Tempesta
Published 2017 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
In this article, we survey the most common attacks against web sessions, that is, attacks that target honest web browser users establishing an authenticated session with a trusted web application. We then review existing security solutions that prevent or mitigate the different attacks by evaluating them along four different axes: protection, usability, compatibility, and ease of deployment. We also assess several defensive solutions that aim at providing robust safeguards against multiple attacks. Based on this survey, we identify five guidelines that, to different extents, have been taken into account by the designers of the different proposals we reviewed. We believe that these guidelines can be helpful for the development of innovative solutions approaching web security in a more systematic and comprehensive way.
This paper references
ECMAScript Language Specification
ECMA. (2011)
Guest editors’ introduction: Shouldn’t all security be usable? IEEE Secur
Mary Frances Theofanos (2011)
10.1145/1982185.1982511
Reliable protection against session fixation attacks
M. Johns (2011)
10.1007/978-3-642-30823-9_5
Serene: Self-Reliant Client-Side Protection against Session Fixation
P. D. Ryck (2012)
10.1109/SP.2009.33
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
M. Louw (2009)
HTTPS Everywhere
EFF. (2011)
10.1109/SP.2010.15
Noninterference through Secure Multi-execution
Dominique Devriese (2010)
10.1145/2976749.2978338
Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild
S. Calzavara (2016)
Our Favorite XSS Filters and How to Attack Them
Eduardo Vela Nava (2009)
10.1007/978-3-642-23822-2_6
Automatic and Precise Client-Side Protection against CSRF Attacks
P. D. Ryck (2011)
10.1007/978-3-642-19125-1_7
SessionShield: Lightweight Protection against Session Hijacking
N. Nikiforakis (2011)
Featherweight Firefox: Formalizing the Core of a Web Browser
A. Bohannon (2010)
10.1007/11663812_7
Defending Against Injection Attacks Through Context-Sensitive String Evaluation
T. Pietraszek (2005)
10.1145/2382196.2382275
FlowFox: a web browser with flexible and precise information flow control
Willem De Groef (2012)
10.1145/1141277.1141357
Noxes: a client-side solution for mitigating cross-site scripting attacks
E. Kirda (2006)
Cookies Lack Integrity: Real-World Implications
Xiaofeng Zheng (2015)
A tale of the weaknesses of current client-side XSS filtering
Sebastian Lekies (2014)
Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
Yacin Nadji (2009)
10.1145/1526709.1526785
Using static analysis for Ajax intrusion detection
Arjun Guha (2009)
10.1109/ICDCS.2010.71
ESCUDO: A Fine-Grained Protection Model for Web Browsers
Karthick Jayaraman (2010)
10.1145/2220352.2220353
One-time cookies: Preventing session hijacking attacks with stateless authentication tokens
Italo Dacosta (2012)
IE 8 XSS Filter Architecture / Implementation
David Ross. (2008)
10.1016/j.cose.2011.12.004
Noncespaces: Using randomization to defeat cross-site scripting attacks
M. Gundy (2012)
Towards Client-side HTML Security Policies
J. Weinberger (2011)
10.1145/1455770.1455782
Robust defenses for cross-site request forgery
A. Barth (2008)
10.1145/1455770.1455783
SOMA: mutual approval for included content in web pages
Terri Oda (2008)
10.1145/1367497.1367569
Forcehttps: protecting high-security web sites from network attacks
C. Jackson (2008)
10.1007/978-3-642-22655-7_4
The Eval That Men Do - A Large-Scale Study of the Use of Eval in JavaScript Applications
G. Richards (2011)
10.1145/2046707.2046734
App isolation: get the security of multiple browsers with just one
E. Y. Chen (2011)
10.1109/SP.2014.49
An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System
Daniel Fett (2014)
Protecting Users by Confining JavaScript with COWL
D. Stefan (2014)
W 3 C . 2000 . Document Object Model ( DOM ) Level 2 Core Specification W 3 C . 2004 . Document Object Model ( DOM ) Level 3 Core Specification W 3 C . 2012 . Content Security Policy
Joel Weinberger (2011)
10.1109/MSP.2011.30
Guest Editors' Introduction: Shouldn't All Security Be Usable?
M. Theofanos (2011)
10.1109/SECCOMW.2006.359531
Preventing Cross Site Request Forgery Attacks
N. Jovanovic (2006)
10.1016/j.jlap.2013.05.001
Survey on JavaScript security policies and their enforcement mechanisms in a web browser
Nataliia Bielova (2013)
10.1145/2554850.2554909
JSFlow: tracking information flow in JavaScript and its APIs
D. Hedin (2014)
10.1007/978-3-319-13841-1_6
Client Side Web Session Integrity as a Non-interference Property
Wilayat Khan (2014)
New tricks for defeating SSL in practice
Moxie Marlinspike. (2009)
Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis
P. Vogt (2007)
10.1109/SP.2010.36
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
Leo A. Meyerovich (2010)
10.1145/1242572.1242654
Defeating script injection attacks with browser-enforced embedded policies
T. Jim (2007)
JSONP
Bob Ippolito. (2015)
10.1007/978-3-642-14215-4_12
HProxy: Client-Side Detection of SSL Stripping Attacks
N. Nikiforakis (2010)
10.1145/2590296.2590341
Why eve and mallory (also) love webmasters: a study on the root causes of SSL misconfigurations
Sascha Fahl (2014)
10.1145/2420950.2420977
BetterAuth: web authentication revisited
M. Johns (2012)
10.1007/978-3-642-03549-4_15
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Ziqing Mao (2009)
10.1145/2382196.2382276
Scriptless attacks: stealing the pie without touching the sill
M. Heiderich (2012)
Postcards From the Post-XSS World
Michal Zalewski (2011)
10.1007/978-3-319-11379-1_11
Why Is CSP Failing? Trends and Challenges in CSP Adoption
Michael Weissbacher (2014)
10.1145/1533057.1533067
Lightweight self-protecting JavaScript
Phu H. Phung (2009)
10.1145/2465106.2465432
GlassTube: a lightweight approach to web application integrity
Per A. Hallgren (2013)
Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web
M. Dietz (2012)
10.1145/2382196.2382274
You are what you include: large-scale evaluation of remote javascript inclusions
N. Nikiforakis (2012)
Code-Injection Attacks in Browsers Supporting Policies
E. Athanasopoulos (2009)
Requestrodeo: Client Side Protection against Session Riding
F. Piessens (2006)
10.17487/RFC6454
The Web Origin Concept
A. Barth (2011)
RequestRodeo: Client Side Protection against Session Riding
M. Johns (2006)
Bypassing HTTP Strict Transport Security
Jose Selvi. (2014)
10.1016/j.jlamp.2016.08.006
Formal methods for web security
M. Bugliesi (2017)
10.1145/3184558.3186232
Surviving the Web: A Journey into Web Session Security
S. Calzavara (2018)
Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks
W. Xu (2006)
10.1145/2046707.2046777
Fortifying web-based applications automatically
S. Tang (2011)
10.1145/1190216.1190252
JavaScript instrumentation for browser security
Dachuan Yu (2007)
10.17487/RFC2818
HTTP Over TLS
E. Rescorla (2000)
Why Aren ’ t HTTP-only Cookies More Widely Deployed ?
Yuchen Zhou (2010)
10.1145/1772690.1772701
Regular expressions considered harmful in client-side XSS filters
Daniel Bates (2010)
10.1145/2187836.2187926
Practical end-to-end web content integrity
K. Singh (2012)
10.1145/2566486.2568047
Quite a mess in my cookie jar!: leveraging machine learning to protect web authentication
S. Calzavara (2014)
10.1007/978-3-642-41488-6_5
SafeScript: JavaScript Transformation for Policy Enforcement
M. Louw (2013)
10.1145/2488388.2488413
Lightweight server support for browser-based CSRF protection
Alexei Czeskis (2013)
Same-Origin Policy
Mozilla. (2015)
10.1109/CSF.2010.27
Towards a Formal Foundation of Web Security
Devdatta Akhawe (2010)
Origin Cookies : Session Integrity for Web Applications
A. Bortz (2011)
10.1109/CSF.2014.33
Provably Sound Browser-Based Enforcement of Web Session Integrity
M. Bugliesi (2014)
10.14722/NDSS.2015.23295
Run-time Monitoring and Formal Analysis of Information Flows in Chromium
L. Bauer (2015)
Why aren’t HTTP-only cookies more widely deployed? In Proceedings of the Web 2.0 Security and Privacy Workshop (W2SP’10)
Yuchen Zhou (2010)
HttpOnly
OWASP. (2014)
Top 10 Security Threats
OWASP. (2013)
10.1007/978-3-642-36830-1_7
Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage
Chetan Bansal (2013)
10.17487/RFC6797
HTTP Strict Transport Security (HSTS)
J. Hodges (2012)
10.3233/JCS-150529
CookiExt: Patching the browser against session hijacking attacks
M. Bugliesi (2015)
10.17487/RFC2109
HTTP State Management Mechanism
D. Kristol (1997)
10.1145/54289.871709
The Confused Deputy: (or why capabilities might have been invented)
N. Hardy (1988)
10.1145/2076732.2076775
WebJail: least-privilege integration of third-party components in web mashups
S. Acker (2011)
10.1007/978-3-642-11747-3_2
CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests
P. D. Ryck (2010)
The NoScript Firefox Extension
Giorgio Maone. (2004)
10.1007/978-3-540-70542-0_2
XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks
P. Bisht (2008)



This paper is referenced by
Mobile Security Knowledge Area Issue 1 . 0
Sascha Fahl (2019)
10.1007/s41870-020-00486-w
Prevention of session hijacking using token and session id reset approach
Talwinder Singh (2020)
10.1108/JSIT-12-2017-0120
A comparative study of the effectiveness of sentiment tools and human coding in sarcasm detection
Phoey Lee Teh (2018)
10.1007/978-3-030-29962-0_29
Testing for Integrity Flaws in Web Sessions
Stefano Calzavara (2019)
ON CLOUD OF THINGS VULNERABILITY Spring 2018 : 2018
M. Pirahandeh (2018)
Leaky Images: Targeted Privacy Attacks in the Web
Cristian-Alexandru Staicu (2019)
Analysis and prevention of security threats in web and cryptographic applications
M. Squarcina (2018)
10.1109/ICSSA.2017.9
Cookies and Sessions: A Study of What They Are, How They Work and How They Can Be Stolen
Kenneth P. LaCroix (2017)
10.1109/ACCESS.2019.2905219
Mobile Session Fixation Attack in Micropayment Systems
Franco Tommasi (2019)
10.1109/CloudSummit47114.2019.00018
Bioinformatics Cloud Security
Matthew Armstrong (2019)
10.1007/s00500-019-04138-5
On one-time cookies protocol based on one-time password
Junhui He (2020)
10.1109/SP.2019.00053
Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem
S. Calzavara (2019)
10.1109/MSEC.2019.2961649
Machine Learning for Web Vulnerability Detection: The Case of Cross-Site Request Forgery
S. Calzavara (2020)
10.14569/IJACSA.2019.0100104
Cookies and Sessions: A Study of what they are, how they can be Stolen and a Discussion on Security
Young Back Choi (2019)
10.1007/978-3-030-58951-6_2
Bulwark: Holistic and Verified Security Monitoring of Web Protocols
L. Veronese (2020)
10.1109/csf49147.2020.00016
Language-Based Web Session Integrity
S. Calzavara (2020)
10.1109/MILCOM47813.2019.9021026
An Intelligent System for Preventing SSL Stripping-based Session Hijacking Attacks
Mainduddin Ahmad Jonas (2019)
10.1145/3184558.3186232
Surviving the Web: A Journey into Web Session Security
S. Calzavara (2018)
10.3233/JCS-181149
Sub-session hijacking on the web: Root causes and prevention
S. Calzavara (2019)
Review of human decision-making during computer security incident analysis
Jonathan M. Spring (2019)
10.1109/MCE.2018.2867985
Bridging the Digital Divide: Challenges in Opening the Digital World to the Elderly, Poor, and Digitally Illiterate
Arijit Datta (2019)
10.1109/EuroSP.2019.00045
Mitch: A Machine Learning Approach to the Black-Box Detection of CSRF Vulnerabilities
S. Calzavara (2019)
Semantic Scholar Logo Some data provided by SemanticScholar