CookiExt: Patching the browser against session hijacking attacks

Bugliesi, Michele; Calzavara, Stefano; Focardi, Riccardo; Khan, Wilayat

doi:10.3233/jcs-150529

Cited by 32 publications

(36 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Given that defenses against session hijacking also prevent sub-session hijacking, it might seem that sub-session hijacking is an already solved problem. Unfortunately, real-world websites rarely implement full protection against session hijacking [5,6,9,15,16] and commonly build their sessions on top of cookies with different confidentiality or integrity guarantees, which opens the way to sub-session hijacking. Concrete examples of reasons why this might happen in practice are the following:…”

Section: Impact Of Sub-session Hijackingmentioning

confidence: 99%

“…Necessary (but not sufficient) ingredients include the use of HSTS [3] to enforce ubiquitous encryption and cookie security attributes like HttpOnly and Secure [1] to defend against cookie leakage. Unfortunately, web developers often ignore these recommended security practices, because the adoption of HSTS still lags behind [4,5] and cookie security attributes are often unset [6]. Protection against session hijacking should thus not be taken for granted, especially when the attack surface is amplified by the widespread practice of using multiple cookies for session management [7,8].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Sub-session hijacking on the web: Root causes and prevention

Calzavara

Rabitti

Bugliesi

2019

JCS

Self Cite

View full text Add to dashboard Cite

Since cookies act as the only proof of a user identity, web sessions are particularly vulnerable to session hijacking attacks, where the browser run by a given user sends requests associated to the identity of another user. When n > 1 cookies are used to implement a session, there might actually be n sub-sessions running at the same website, where each cookie is used to retrieve part of the state information related to the session. Sub-session hijacking breaks the ideal view of the existence of a unique user session by selectively hijacking m sub-sessions, with m < n. This may reduce the security of the session to the security of its weakest sub-session. In this paper, we take a systematic look at the root causes of sub-session hijacking attacks and we introduce sub-session linking as a possible defense mechanism. Out of two flavors of sub-session linking desirable for security, which we call intra-scope and inter-scope sub-session linking respectively, only the former is relatively smooth to implement. Luckily, we also identify programming practices to void the need for inter-scope sub-session linking. We finally present Warden, a server-side proxy which automatically enforces intra-scope sub-session linking on incoming HTTP(S) requests, and we evaluate it in terms of protection, performances, backward compatibility and ease of deployment.

show abstract

Section: Impact Of Sub-session Hijackingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Sub-session hijacking on the web: Root causes and prevention

Calzavara

Rabitti

Bugliesi

2019

JCS

Self Cite

View full text Add to dashboard Cite

show abstract

“…In general, there have been only few formal analysis efforts for web applications, standards, and browsers so far. Most of the existing efforts are based on formal representations of (parts of) web browsers or very limited models of web mechanisms and applications [3]- [5], [9]- [11], [14]- [17], [25], [26], [28], [34], [47].…”

Section: Related Workmentioning

confidence: 99%

“…In this case, b must have received an HTTPS response from i (honest identity providers do not send out unencrypted HTTP responses). Honest identity providers send out HTTPS responses in Lines 6,14,17,27,72, and 98 of Algorithm 24 and Line 17 of Algorithm 25. It is easy to see that i does not send out n in Lines 6, 14, 17, and 27 of Algorithm 24 and Line 17 of Algorithm 25 (given that the attacker does not know n), leaving Lines 72, and 98 of Algorithm 24 to analyze.…”

Section: Proof Of Authorizationmentioning

confidence: 99%

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines

Fett

Küsters

Schmitz

2017

2017 IEEE 30th Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Abstract-Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis.In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties.In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.

show abstract

“…A few works have developed formal verification techniques to model and analyze web browsers [14,17,16,7,8,30]. Akhawe et al [5] introduce a formal model of web security.…”

Section: Related Workmentioning

confidence: 99%

Invalid certificates in modern browsers: A socio-technical analysis

Giustolisi

Bella

Lenzini

2018

JCS

View full text Add to dashboard Cite

The authentication of a web server is a crucial procedure in the security of web browsing. It relies on certificate validation, a process that may require the participation of the user. Thus, the security of certificate validation is socio-technical as it depends on traditional security technology as well as on social elements such as cultural values, trust and human-computer interaction.This manuscript analyzes extensively the socio-technical security of certificate validation as carried out through today's most popular browsers. First, we model processes, protocols and ceremonies that browsers run with servers and users as UML activity diagrams. We consider both classic and private browsing modes and focus on the certificate validation. We then translate each UML activity diagram to a CSP# model. The model is expanded with the LTL formalization of five socio-technical properties pivoted on user involvement with certificate validation. We automatically check whether the CSP# models are socio-technically secure against Man-in-the-Middle attacks using the PAT model checker. The findings turn out to be far from straightforward. From them, we state best-practice recommendations to browser vendors. 3 validation. The mix of new browsers, modes, and properties increases the 16 scenarios analyzed in the previous paper to this manuscript's 60 scenarios. A disclaimer is in order that the proposed list of properties is not meant to be complete; however, our browser models are fairly well detailed, for example by allowing for the reception of a newly issued certificate to replace the older, expired one.The intellectual value that this manuscript gains is at least twofold: (i) it makes three best-practice recommendations to browsers upon the basis of the additional findings on the new set of browsers and modes; (ii) it finds two bugs in Safari, respectively one in Safari for OS X and one in Safari for iOS, which (we reported to Apple getting a reply that a fix would be available in the upcoming versions of the browser, and) are now filed with the vulnerability identifier CVE-2015-5859 [6,56]. It is also worth noting that, after our conference paper observed that Opera Mini fails to prompt the user in case of invalid certificate [12], a new version of the browser fixed this issue.Socio-technical analysis. Ellison coined the concept of a ceremony extending "the concept of network protocol by including human beings as nodes in the network" [25]; therefore, a ceremony is a technical system extended with its human users and the possible interactions between the system and its users . A ceremony extends the notion of protocol to include interactions, messages, and behaviours of the social components. Similarly, the term socio-technical system refers to the system including its social components [29]. Therefore, analyzing a ceremony means to conduct a socio-technical analysis focusing on socio-technical properties. It is somewhat understood that a socio-technical property pertains to how user choices affect a traditional property o...

show abstract

CookiExt: Patching the browser against session hijacking attacks

Cited by 32 publications

References 25 publications

Sub-session hijacking on the web: Root causes and prevention

Sub-session hijacking on the web: Root causes and prevention

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines

Invalid certificates in modern browsers: A socio-technical analysis

Contact Info

Product

Resources

About