The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization Flaws

Drakonakis, Kostas; Ioannidis, Sotiris; Polakis, Jason

doi:10.1145/3372297.3417869

Cited by 32 publications

(26 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Relying on https is key to providing protection for any traffic between a web browser and the server. Studies conducted by Sivakorn et al [30], [31], Drakonakis et al [3] and Englehardt et al [5] confirm the problematic situation of websites not properly deploying https. These studies conclude that websites which do not, or only partially, deploy https expose private information to attackers.…”

Section: Related Workmentioning

confidence: 99%

HTTPS-Only: Upgrading all connections to https in Web Browsers

Kerschbaumer¹,

Gaibler²,

Edelstein³

et al. 2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

The number of websites that support encrypted and secure https connections has increased rapidly in recent years. Despite major gains in the proportion of websites supporting https, the web contains millions of legacy http links that point to insecure versions of websites. Worse, numerous websites often use http connections by default, even though they already support https. Establishing a connection using http rather than https has the downside that http transfers data in cleartext, granting an attacker the ability to eavesdrop, or even tamper with the transmitted data. To date, however, no web browser has attempted to remedy this problem by favouring secure connections by default.We present HTTPS-Only, an approach which first tries to establish a secure connection to a website using https and only allows a fallback to http if a secure connection cannot be established. Our approach also silently upgrades all insecure http subresource requests (image, stylesheet, script) within a secure website to use the secure https protocol instead. Our measurements indicate that our approach can upgrade the majority of connections to https and therefore suggests that browser vendors have an opportunity to evolve their current connection model.

show abstract

Section: Related Workmentioning

confidence: 99%

HTTPS-Only: Upgrading all connections to https in Web Browsers

Kerschbaumer¹,

Gaibler²,

Edelstein³

et al. 2021

Proceedings 2021 Workshop on Measurements, Attacks, and Defenses for the Web

View full text Add to dashboard Cite

show abstract

“…We audit the security of web sessions against the traditional threats posed by web attackers and network attackers, the standard attacker models of the web security literature [12], which have been commonly used in previous web session security studies, e.g., [13,14,8,15,1,16,17,9]. A web attacker is an unprivileged web user who operates a browser and has control of a malicious website.…”

Section: Threat Modelmentioning

confidence: 99%

“…A significant benefit of this approach is its general applicability, as it does not require SSO availability. In a recent study [9], this approach was used to login on 23,176 sites (out of 1.6M sites, 1.6%). A major downside to automatic registration is that the registration process is a critical security feature of websites frequently targeted for automated attack.…”

Section: Crowd-sourcing Credentialsmentioning

confidence: 99%

“…Thus, prior work on web session security reported on either (i) small-scale precise measurements involving a significant amount of manual effort [5,6,7], or (ii) large-scale measurements based on unauthenticated access to web applications, which miss valuable information, e.g., the login and logout processes [8]. The only notable exception is a recent paper, which analyzed post-login web session security at scale, but only focused on session hijacking enabled by cookie theft [9]. This means that prior web security studies are too small in terms of analyzed sites [5,6,7], too imprecise because carried out without performing authentication [8] or too narrow because they only cover a limited set of web session security threats [9]; we further discuss and compare against prior work in Section 8.…”

Section: Introductionmentioning

confidence: 99%

“…The only notable exception is a recent paper, which analyzed post-login web session security at scale, but only focused on session hijacking enabled by cookie theft [9]. This means that prior web security studies are too small in terms of analyzed sites [5,6,7], too imprecise because carried out without performing authentication [8] or too narrow because they only cover a limited set of web session security threats [9]; we further discuss and compare against prior work in Section 8.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations