Serene: Self-Reliant Client-Side Protection against Session Fixation

Abstract : The web is the most wide-spread and de facto distributed platform, with a plethora of valuable applications and services. Building stateful services on the web requires a session mechanism that keeps track of server-side session state, such as authentication data. These sessions are an attractive attacker target, since taking over an authenticated session fully compromises the user’s account. This paper focuses on session fixation, where an attacker forces the user to use the attacker’s session, allowing the attacker to take over the session after authentication.We present Serene, a self-reliant client-side countermeasure that protects the user from session fixation attacks, regardless of the security provisions – or lack thereof – of a web application. By specifically protecting session identifiers from fixation and not interfering with other cookies or parameters, Serene is able to autonomously protect a large majority of web applications, without being disruptive towards legitimate functionality. We experimentally validate these claims with a large scale study of Alexa’s top one million sites, illustrating both Serene’s large coverage (83.43%) and compatibility (95.55%).
Type de document :
Communication dans un congrès
Karl Michael Göschka; Seif Haridi. 12th International Conference on Distributed Applications and Interoperable Systems (DAIS), Jun 2012, Stockholm, Sweden. Springer, Lecture Notes in Computer Science, LNCS-7272, pp.59-72, 2012, Distributed Applications and Interoperable Systems. 〈10.1007/978-3-642-30823-9_5〉
Liste complète des métadonnées

Littérature citée [19 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01527644
Contributeur : Hal Ifip <>
Soumis le : mercredi 24 mai 2017 - 17:23:01
Dernière modification le : mercredi 24 mai 2017 - 17:24:55
Document(s) archivé(s) le : lundi 28 août 2017 - 17:53:17

Fichier

978-3-642-30823-9_5_Chapter.pd...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Philippe Ryck, Nick Nikiforakis, Lieven Desmet, Frank Piessens, Wouter Joosen. Serene: Self-Reliant Client-Side Protection against Session Fixation. Karl Michael Göschka; Seif Haridi. 12th International Conference on Distributed Applications and Interoperable Systems (DAIS), Jun 2012, Stockholm, Sweden. Springer, Lecture Notes in Computer Science, LNCS-7272, pp.59-72, 2012, Distributed Applications and Interoperable Systems. 〈10.1007/978-3-642-30823-9_5〉. 〈hal-01527644〉

Partager

Métriques

Consultations de la notice

53

Téléchargements de fichiers

26