Skip to main content
SpringerLink
Log in

SessionShield: Lightweight Protection against Session Hijacking

  • Conference paper
Engineering Secure Software and Systems (ESSoS 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6542))

Included in the following conference series:

Abstract

The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website’s operator. In consequence, if the operator fails to address XSS, the application’s users are defenseless against session hijacking attacks.

In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website’s operator neglects to mitigate existing XSS problems. SessionShield is based on the observation that session identifier values are not used by legitimate client-side scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Apache.org, https://blogs.apache.org/infra/entry/apache_org_04_09_2010

  2. Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E.P., Karagiannis, T.: xjs: Practical xss prevention for web application development. In: Proceedings of the 1st USENIX Conference on Web Application Development, WebApps 2010 (2010)

    Google Scholar 

  3. Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side XSS filters. In: Proceedings of the 19th International Conference on World Wide Web (WWW 2010). ACM, New York (2010)

    Google Scholar 

  4. Web Application Security Consortium. Web Hacking Incident Database

    Google Scholar 

  5. Erlingsson, U., Livshits, B., Xie, Y.: End-to-end Web Application Security. In: Proceedings of the 11th Workshop on Hot Topics in Operating Systems (HotOS 2007) (May 2007)

    Google Scholar 

  6. Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web (WWW 2007). ACM, New York (2007)

    Google Scholar 

  7. Geay, E., Pistoia, M., Tateishi, T., Ryder, B., Dolby, J.: Modular String-Sensitive Permission Analysis with Demand-Driven Precision. In: Proceedings of the 31st International Conference on Software Engineering, ICSE 2009 (2009)

    Google Scholar 

  8. Halfond, W.G.J., Orso, A., Manolios, P.: Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. In: Proceedings of the 14th ACM Symposium on the Foundations of Software Engineering, FSE (2006)

    Google Scholar 

  9. Hisao, S.: Tiny HTTP Proxy in Python

    Google Scholar 

  10. Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: Proceedings of the 16th International World Wide Web Conference (WWW 2007) (May 2007)

    Google Scholar 

  11. Johns, M., Beyerlein, C., Giesecke, R., Posegga, J.: Secure Code Generation for Web Applications. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 96–113. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  12. Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: Proceedings of the OWASP Europe 2006 Conference (2006)

    Google Scholar 

  13. Jovanovic, N., Kirda, E., Kruegel, C.: Preventing cross site request forgery attacks. In: Proceedings of IEEE International Conference on Security and Privacy for Emerging Areas in Communication Networks (Securecomm) (2006)

    Google Scholar 

  14. Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In: IEEE Symposium on Security and Privacy (May 2006)

    Google Scholar 

  15. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A Client-Side Solution for Mitigating Cross Site Scripting Attacks. In: Security Track of the 21st ACM Symposium on Applied Computing (SAC 2006) (April 2006)

    Google Scholar 

  16. Knuth, D.E.: The Art of Computer Programming, vol. 2. Addison-Wesley Publishing Company, Reading (1971)

    Google Scholar 

  17. Livshits, B., Lam, M.S.: Finding Security Vulnerabilities in Java Applications Using Static Analysis. In: Proceedings of the 14th USENIX Security Symposium (August 2005)

    Google Scholar 

  18. Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Extensible web browser security. In: Hämmerli, B.M., Sommer, R. (eds.) DIMVA 2007. LNCS, vol. 4579, pp. 1–19. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  19. Louw, M.T., Venkatakrishnan, V.N.: BluePrint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: IEEE Symposium on Security and Privacy (Oakland 2009) (May 2009)

    Google Scholar 

  20. Maone, G.: NoScript Firefox Extension (2006)

    Google Scholar 

  21. Meyerovich, L.A., Livshits, B.: Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In: Proceedings of 31st IEEE Symposium on Security and Privacy (SP 2010) (2010)

    Google Scholar 

  22. Microsoft. Mitigating Cross-site Scripting With HTTP-only Cookies

    Google Scholar 

  23. Mozilla Foundation. Content Security Policy Specification (2009)

    Google Scholar 

  24. Nadji, Y., Saxena, P., Song, D.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Network & Distributed System Security Symposium, NDSS 2009 (2009)

    Google Scholar 

  25. Nava, E.V., Lindsay, D.: Our favorite XSS filters/IDS and how to attack them. Presentation at the BlackHat US Conference (2009)

    Google Scholar 

  26. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: the 20th IFIP International Information Security Conference (May 2005)

    Google Scholar 

  27. Nikiforakis, N., Younan, Y., Joosen, W.: HProxy: Client-side detection of SSL stripping attacks. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 200–218. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  28. OWASP Top 10 Web Application Security Risks

    Google Scholar 

  29. Pietraszek, T., Berghe, C.V.: Defending against Injection Attacks through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124–145. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  30. Robertson, W., Vigna, G.: Static Enforcement of Web Application Integrity Through Strong Typing. In: Proceedings of the USENIX Security Symposium, Montreal, Canada (August 2009)

    Google Scholar 

  31. Ross, D.: IE 8 XSS Filter Architecture/Implementation (August 2008)

    Google Scholar 

  32. Russo, A., Sabelfeld, A., Chudnov, A.: Tracking Information Flow in Dynamic Tree Structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  33. De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  34. WhiteHat Security. XSS Worms: The impending threat and the best defense

    Google Scholar 

  35. Alexa: The Web information company

    Google Scholar 

  36. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceedings of the 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)

    Google Scholar 

  37. Wassermann, G., Su, Z.: Static Detection of Cross-Site Scripting Vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, Leipzig, Germany. ACM Press, New York (May 2008)

    Google Scholar 

  38. Performance Benchmark - Monitor Page Load Time — Webmetrics

    Google Scholar 

  39. Xie, Y., Aiken, A.: Static Detection of Security Vulnerabilities in Scripting Languages. In: 15th USENIX Security Symposium (2006)

    Google Scholar 

  40. XSSed — Cross Site Scripting (XSS) attacks information and archive

    Google Scholar 

  41. Xu, W., Bhatkar, S., Sekar, R.: Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In: 15th USENIX Security Symposium (August 2006)

    Google Scholar 

  42. Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of 4th Web 2.0 Security and Privacy Workshop, W2SP 2010 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBBT-DistriNet, Katholieke Universiteit Leuven, Celestijnenlaan 200A, Leuven, B3001, Belgium

    Nick Nikiforakis, Wannes Meert, Yves Younan & Wouter Joosen

  2. SAP Research - CEC Karlsruhe, Germany

    Martin Johns

Authors
  1. Nick Nikiforakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wannes Meert
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yves Younan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Google Inc., 1288 Pear Ave, 94043, Mountain View, CA, USA

    Úlfar Erlingsson

  2. Computer Science Department, University of Twente, Drienerlolaan 5, 7522 NB, Enschede, The Netherlands

    Roel Wieringa

  3. Faculty of Mathematics and Computer Science, Eindhoven University of Technology, Den Dolech 2, 5612 AZ, Eindhoven, The Netherlands

    Nicola Zannone

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W. (2011). SessionShield: Lightweight Protection against Session Hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2011. Lecture Notes in Computer Science, vol 6542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19125-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-19125-1_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-19124-4

  • Online ISBN: 978-3-642-19125-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation