Abstract
With the growing trend towards the use of web applications the danger posed by cross site scripting vulnerabilities gains severity. The most serious threats resulting from cross site scripting vulnerabilities are session hijacking attacks: Exploits that steal or fraudulently use the victim’s identity. In this paper we classify currently known attack methods to enable the development of countermeasures against this threat. By close examination of the resulting attack classes, we identify the web application’s characteristics which are responsible for enabling the single attack methods: The availability of session tokens via JavaScript, the pre-knowledge of the application’s URLs and the implicit trust relationship between webpages of same origin. Building on this work we introduce three novel server side techniques to prevent session hijacking attacks. Each proposed countermeasure removes one of the identified prerequisites of the attack classes. SessionSafe, a combination of the proposed methods, protects the web application by removing the fundamental requirements of session hijacking attacks, thus disabling the attacks reliably.
This work was supported by the German Ministry of Economics and Technology (BMWi) as part of the project “secologic” , www.secologic.org.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Adobe flash, Website: http://www.adobe.com/products/flash/flashpro/
Wade Alcorn. The cross-site scripting virus. Whitepaper (September 2005), http://www.bindshell.net/papers/xssv/xssv.html
Maksymilian Arciemowicz. Bypass xss filter in phpnuke 7.9. mailing list BugTraq (December 2005), http://www.securityfocus.com/archive/1/419496/30/0/threaded
CERT/CC. Cert® advisory ca-2000-02 malicious html tags embedded in client web requests (01/30/06) (February 2000), [online]: http://www.cert.org/advisories/CA-2000-02.html
Douglas Crockford. Private members in javascript (last visit, 01/11/06) (2001), website: http://www.crockford.com/javascript/private.html
ECMA. Ecmascript language specification, 3rd edn. Standard ECMA-262 (December 1999), http://www.ecma-international.org/publications/standards/Ecma-262.htm
Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol – http/1.1. RFC 2616 (June 1999), http://www.w3.org/Protocols/rfc2616/rfc2616.html
Flanagan, D.: JavaScript: The Definitive Guide, 4th edn. O’Reilly, Sebastopol (2001)
Grossman, J.: Phishing with super bait. In: Presentation at the Black Hat Asia 2005 Conference (October 2005), http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-grossman.pdf
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th conference on World Wide Web, pp. 40–52. ACM Press, New York (2004)
Le Hégaret, P., Whitmer, R., Wood, L.: Document object model (dom). W3C recommendation (January 2005), http://www.w3.org/DOM/
Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating cross site scripting attacks, security. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356. Springer, Heidelberg (2007)
Klein, A.: Cross site scripting explained. White Paper, Sanctum Security Group (June 2002), http://crypto.stanford.edu/cs155/CSS.pdf
Kristol, D., Montulli, L.: Http state management mechanism. RFC 2965 (October 2000), http://www.ietf.org/rfc/rfc2965.txt
Wall, L., Christiansen, T., Orwant, J.: Programming Perl, 3rd edn. O’Reilly, Sebastopol (2000)
Laurie, B., Laurie, P.: Apache: The Definitive Guide, 3rd edn. O’Reilly, Sebastopol (2002)
MSDN. Mitigating cross-site scripting with http-only cookies (last visit, 01/23/06), website: http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
Rager, A.: Xss-proxy (July 2005) (last visit, 01/30/06), website: http://xss-proxy.sourceforge.net
Samy. Technical explanation of the myspace worm (last visit, 01/10/06) (October 2005), website: http://namb.la/popular/tech.html
Schreiber, T.: Session riding - a widespread vulnerability in today’s web applications. Whitepaper, SecureNet GmbH (December 2004), http://www.securenet.de/papers/Session_Riding.pdf
Scott, D., Sharp, R.: Abstracting application-level web security. In: Proceedings of 11th ACM International World Wide Web Conference, pp. 396–407. ACM Press, New York (2002)
Sun. Java, Website: http://java.sun.com/
von Ahn, L., Blum, M., Hopper, N., Langford, J.: Captcha: Using hard ai problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)
Weitendorf, C.: Implementierung von maßnahmen zur sicherung des web-session-managements im j2ee-framework. Master’s thesis, University of Hamburg (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Johns, M. (2006). SessionSafe: Implementing XSS Immune Session Handling. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds) Computer Security – ESORICS 2006. ESORICS 2006. Lecture Notes in Computer Science, vol 4189. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11863908_27
Download citation
DOI: https://doi.org/10.1007/11863908_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44601-9
Online ISBN: 978-3-540-44605-7
eBook Packages: Computer ScienceComputer Science (R0)