Automatic and Robust Client-Side Protection for Cookie-Based Sessions

Bugliesi, Michele; Calzavara, Stefano; Focardi, Riccardo; Khan, Wilayat

doi:10.1007/978-3-319-04897-0_11

Cited by 14 publications

(20 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Similarly to the HTTP-Only flag, the Secure flag can be selectively applied to authentication cookies at the client-side, thus achieving additional protection against powerful network attackers [Bugliesi et al 2014a[Bugliesi et al , 2014b. Another solution against eavesdropping is HSTS [Hodges et al 2012], a browser security policy that forces any HTTP communication attempt to protected domains to be upgraded to HTTPS.…”

Section: Eavesdroppingmentioning

confidence: 99%

“…A few research works suggest to automatically apply the HTTP-Only flag to authentication cookies at the browser side when the remote server fails to protect them [Tang et al 2011;Nikiforakis et al 2011;Bugliesi et al 2014a]. …”

Section: </Script>mentioning

confidence: 99%

“…Because these cookies can be potentially fixated by a malicious script, they are stripped away from HTTP requests and never used for authentication; -COOKIEXT [Bugliesi et al 2014a] is an extension for Google Chrome designed to ensure the confidentiality of authentication cookies against both XSS attacks and network eavesdropping. COOKIEXT selectively applies both the HTTP-Only and the Secure flag to authentication cookies while forcing a redirection from HTTP to HTTPS for supporting websites.…”

Section: -Serene [De Ryck Et Al 2012] Is a Client-side Solution Agaimentioning

confidence: 99%

“…A complementary line of defense, advocated in a series of recent papers, may be built directly within the browser through client-side protection mechanisms [Tang et al 2011;De Ryck et al 2012Bugliesi et al 2014aBugliesi et al , 2014b. The key idea underlying such mechanisms is to apply the security practices neglected by the server by detecting authentication cookies at the client-side and enforcing a more conservative browser behavior when accessing them, for instance by applying them the HTTP-Only flag when it is not set by the web developers.…”

Section: Introductionmentioning

confidence: 98%

“…The complexity of web applications makes room for a large attack surface against authentication cookies, requiring web servers to deploy a variety of counter-measures to achieve a satisfactory degree of protection; for instance, web developers should mark the authentication cookies set by their web applications with the HTTP-Only flag, which instructs the browser to prevent any access to them by malicious scripts under the control of the attacker. Unfortunately, as reported in the literature, websites often fail to implement recommended security practices [Zhou and Evans 2010;Nikiforakis et al 2011;Bugliesi et al 2014a].…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

A Supervised Learning Approach to Protect Client Authentication on the Web

et al. 2015

Self Cite

View full text Add to dashboard Cite

Browser-based defenses have recently been advocated as an effective mechanism to protect potentially insecure web applications against the threats of session hijacking, fixation, and related attacks. In existing approaches, all such defenses ultimately rely on client-side heuristics to automatically detect cookies containing session information, to then protect them against theft or otherwise unintended use. While clearly crucial to the effectiveness of the resulting defense mechanisms, these heuristics have not, as yet, undergone any rigorous assessment of their adequacy. In this article, we conduct the first such formal assessment, based on a ground truth of 2,464 cookies we collect from 215 popular websites of the Alexa ranking.To obtain the ground truth, we devise a semiautomatic procedure that draws on the novel notion of authentication token, which we introduce to capture multiple web authentication schemes. We test existing browser-based defenses in the literature against our ground truth, unveiling several pitfalls both in the heuristics adopted and in the methods used to assess them. We then propose a new detection method based on supervised learning, where our ground truth is used to train a set of binary classifiers, and report on experimental evidence that our method outperforms existing proposals. Interestingly, the resulting classifiers, together with our hands-on experience in the construction of the ground truth, provide new insight on how web authentication is actually implemented in practice. . 2015. A supervised learning approach to protect client authentication on the web.

show abstract

Section: Eavesdroppingmentioning

confidence: 99%

Section: </Script>mentioning

confidence: 99%

Section: -Serene [De Ryck Et Al 2012] Is a Client-side Solution Agaimentioning

confidence: 99%

Section: Introductionmentioning

confidence: 98%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

A Supervised Learning Approach to Protect Client Authentication on the Web

et al. 2015

Self Cite

View full text Add to dashboard Cite

show abstract

Fine-Grained Detection of Privilege Escalation Attacks on Browser Extensions

Calzavara

Bugliesi

Crafa

et al. 2015

Programming Languages and Systems

Self Cite

View full text Add to dashboard Cite

Even though their architecture relies on robust security principles, it is well-known that poor programming practices may expose browser extensions to serious security flaws, leading to privilege escalations by untrusted web pages or compromised extension components. We propose a formal security analysis of browser extensions in terms of a finegrained characterization of the privileges that an active opponent may escalate through the message passing interface and we discuss to which extent current programming practices take this threat into account. Our theory builds on a formal language that embodies the essential features of JavaScript, together with few additional constructs dealing with the security aspects specific to the browser extension architecture. We then present a flow logic specification estimating the safety of browser extensions modelled in our language against the threats of privilege escalation and we prove its soundness. Finally, we show the feasibility of our approach by means of Chen, a prototype static analyser for Google Chrome extensions based on our flow logic specification.

show abstract

A Frictionless and Secure User Authentication in Web-Based Premium Applications

Olanrewaju

Khan²,

Morshidi

et al. 2021

IEEE Access

View full text Add to dashboard Cite

By and large authentication systems employed for web-based applications primarily utilize a conventional username and password-based schemes, which can be compromised easily. Currently, there is an evolution of various complex user authentication schemes based on the sophisticated methodology of encryption. However, many of these schemes suffer from either low impact full consequences or offer security at higher resource dependence. Furthermore, the majority of these schemes don't consider dynamic threat and attack strategies when the clients are exposed to unidentified attack environments. Hence, this paper proposes a secure user authentication mechanism for web applications with a frictionless experience. An automated authentication scheme is designed based on user behaviour login events. The uniqueness of user identity is validated in the proposed system at the login interface, followed by implying an appropriate user authentication process. The authentication process is executed under four different login mechanisms, which depend on the profiler and the authenticator function. The profiler uses user behavioural data, including login session time, device location, browser, and details of accessed web services. The system processes these data and generates a user profile via a profiler using the authenticator function. The authenticator provides a login mechanism to the user to perform the authentication process. After successful login attempts, the proposed system updates database for future evaluation in the authentication process. The study outcome shows that the proposed system excels to other authentication schemes for an existing web-based application. The proposed method, when comparatively examined, is found to offer approximately a 10% reduction in delay, 7% faster response time, and 11% minimized memory usage compared with existing authentication schemes for premium web-based applications.

show abstract

Automatic and Robust Client-Side Protection for Cookie-Based Sessions

Cited by 14 publications

References 14 publications

A Supervised Learning Approach to Protect Client Authentication on the Web

A Supervised Learning Approach to Protect Client Authentication on the Web

Fine-Grained Detection of Privilege Escalation Attacks on Browser Extensions

A Frictionless and Secure User Authentication in Web-Based Premium Applications

Contact Info

Product

Resources

About