Sub-session hijacking on the web: Root causes and prevention

Calzavara, Stefano; Rabitti, Alvise; Bugliesi, Michele

doi:10.3233/jcs-181149

Cited by 14 publications

(13 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, Shepherd could be extended to identify sites whose login system exhibits specific behaviour. One example could be sites that store session identifiers in local storage instead of using cookies; another is looking for sites vulnerable so sub-session hijacking [CRB19] (which relies on presence of multiple authentication cookies).…”

Section: A Measuring Post-login Featuresmentioning

confidence: 99%

Shepherd: a Generic Approach to Automating Website Login

Jonker

Karsch

Krumnow

et al. 2020

Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

To gauge adoption of web security measures, largescale testing of website security is needed. However, the diversity of modern websites makes a structured approach to testing a daunting task. This is especially a problem with respect to logging in: there are many subtle deviations in the flow of the login process between websites. Current efforts investigating login security typically are semi-automated, requiring manual intervention which does not scale well. Hence, comprehensive studies of post-login areas have not been possible yet. In this paper, we introduce Shepherd, a generic framework for logging in on websites. Given credentials, it provides a fully automated attempt at logging in. We discuss various design challenges related to automatically identifying login areas, validating correct logins, and detecting incorrect credentials. The tool collects data on successes and failures for each of these. We evaluate Shepherd's capabilities to login on thousands of sites, using unreliable, legitimately crowd-sourced credentials for a random selection from the Alexa Top websites list. Notwithstanding parked domains, invalid credentials, etc., Shepherd was able to automatically log in on 7,113 sites from this set, an order of magnitude beyond previous efforts at automating login.

show abstract

Section: A Measuring Post-login Featuresmentioning

confidence: 99%

Shepherd: a Generic Approach to Automating Website Login

Jonker

Karsch

Krumnow

et al. 2020

Proceedings 2020 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

show abstract

“…The HWL Proxy is implemented in Go and is available as open source 3 . Note that its standard http library was not used because it is subject to vulnerabilities as well [2].…”

Section: Methodsmentioning

confidence: 99%

“…In this section, we provide an overview of semantic gap vulnerabilities in HTTP message processing as defined in Section 2. Attacks based on semantic gaps in other application layers, such as processing multiple cookies [3], are out of scope.…”

Section: Attacks Rooted In a Semantic Gapmentioning

confidence: 99%

Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems

Büttner

Nguyen

Gruschka

et al. 2021

ICT Systems Security and Privacy Protection

View full text Add to dashboard Cite

The web is the most wide-spread digital system in the world and is used for many crucial applications. This makes web application security extremely important and, although there are already many security measures, new vulnerabilities are constantly being discovered. One reason for some of the recent discoveries lies in the presence of intermediate systems-e.g. caches, message routers, and load balancers-on the way between a client and a web application server. The implementations of such intermediaries may interpret HTTP messages differently, which leads to a semantically different understanding of the same message. This so-called semantic gap can cause weaknesses in the entire HTTP message processing chain. In this paper we introduce the header whitelisting (HWL) approach to address the semantic gap in HTTP message processing pipelines. The basic idea is to normalize and reduce an HTTP request header to the minimum required fields using a whitelist before processing it in an intermediary or on the server, and then restore the original request for the next hop. Our results show that HWL can avoid misinterpretations of HTTP messages in the different components and thus prevent many attacks rooted in a semantic gap including request smuggling, cache poisoning, and authentication bypass.

show abstract

“…Analyzing web session security requires authenticated access to web applications, which is a difficult process to automate [4]. Thus, prior work on web session security reported on either (i) small-scale precise measurements involving a significant amount of manual effort [5,6,7], or (ii) large-scale measurements based on unauthenticated access to web applications, which miss valuable information, e.g., the login and logout processes [8]. The only notable exception is a recent paper, which analyzed post-login web session security at scale, but only focused on session hijacking enabled by cookie theft [9].…”

Section: Introductionmentioning

confidence: 99%

“…The only notable exception is a recent paper, which analyzed post-login web session security at scale, but only focused on session hijacking enabled by cookie theft [9]. This means that prior web security studies are too small in terms of analyzed sites [5,6,7], too imprecise because carried out without performing authentication [8] or too narrow because they only cover a limited set of web session security threats [9]; we further discuss and compare against prior work in Section 8.…”

Section: Introductionmentioning

confidence: 99%