SessionSafe: Implementing XSS Immune Session Handling

  • Martin Johns
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4189)


With the growing trend towards the use of web applications the danger posed by cross site scripting vulnerabilities gains severity. The most serious threats resulting from cross site scripting vulnerabilities are session hijacking attacks: Exploits that steal or fraudulently use the victim’s identity. In this paper we classify currently known attack methods to enable the development of countermeasures against this threat. By close examination of the resulting attack classes, we identify the web application’s characteristics which are responsible for enabling the single attack methods: The availability of session tokens via JavaScript, the pre-knowledge of the application’s URLs and the implicit trust relationship between webpages of same origin. Building on this work we introduce three novel server side techniques to prevent session hijacking attacks. Each proposed countermeasure removes one of the identified prerequisites of the attack classes. SessionSafe, a combination of the proposed methods, protects the web application by removing the fundamental requirements of session hijacking attacks, thus disabling the attacks reliably.


Object Creation Random Nonce Cross Site Script Implicit Trust Server Script 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
    Wade Alcorn. The cross-site scripting virus. Whitepaper (September 2005),
  3. 3.
    Maksymilian Arciemowicz. Bypass xss filter in phpnuke 7.9. mailing list BugTraq (December 2005),
  4. 4.
    CERT/CC. Cert® advisory ca-2000-02 malicious html tags embedded in client web requests (01/30/06) (February 2000), [online]:
  5. 5.
    Douglas Crockford. Private members in javascript (last visit, 01/11/06) (2001), website:
  6. 6.
    ECMA. Ecmascript language specification, 3rd edn. Standard ECMA-262 (December 1999),
  7. 7.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol – http/1.1. RFC 2616 (June 1999),
  8. 8.
    Flanagan, D.: JavaScript: The Definitive Guide, 4th edn. O’Reilly, Sebastopol (2001)Google Scholar
  9. 9.
    Grossman, J.: Phishing with super bait. In: Presentation at the Black Hat Asia 2005 Conference (October 2005),
  10. 10.
    Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th conference on World Wide Web, pp. 40–52. ACM Press, New York (2004)CrossRefGoogle Scholar
  11. 11.
    Le Hégaret, P., Whitmer, R., Wood, L.: Document object model (dom). W3C recommendation (January 2005),
  12. 12.
    Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating cross site scripting attacks, security. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356. Springer, Heidelberg (2007)Google Scholar
  13. 13.
    Klein, A.: Cross site scripting explained. White Paper, Sanctum Security Group (June 2002),
  14. 14.
    Kristol, D., Montulli, L.: Http state management mechanism. RFC 2965 (October 2000),
  15. 15.
    Wall, L., Christiansen, T., Orwant, J.: Programming Perl, 3rd edn. O’Reilly, Sebastopol (2000)zbMATHGoogle Scholar
  16. 16.
    Laurie, B., Laurie, P.: Apache: The Definitive Guide, 3rd edn. O’Reilly, Sebastopol (2002)Google Scholar
  17. 17.
    MSDN. Mitigating cross-site scripting with http-only cookies (last visit, 01/23/06), website:
  18. 18.
    Rager, A.: Xss-proxy (July 2005) (last visit, 01/30/06), website:
  19. 19.
    Samy. Technical explanation of the myspace worm (last visit, 01/10/06) (October 2005), website:
  20. 20.
    Schreiber, T.: Session riding - a widespread vulnerability in today’s web applications. Whitepaper, SecureNet GmbH (December 2004),
  21. 21.
    Scott, D., Sharp, R.: Abstracting application-level web security. In: Proceedings of 11th ACM International World Wide Web Conference, pp. 396–407. ACM Press, New York (2002)CrossRefGoogle Scholar
  22. 22.
    Sun. Java, Website:
  23. 23.
    von Ahn, L., Blum, M., Hopper, N., Langford, J.: Captcha: Using hard ai problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Weitendorf, C.: Implementierung von maßnahmen zur sicherung des web-session-managements im j2ee-framework. Master’s thesis, University of Hamburg (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Martin Johns
    • 1
  1. 1.Dept of InformaticsSecurity in Distributed Systems (SVS), University of HamburgHamburg

Personalised recommendations