Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

IFIP International Conference on Distributed Applications and Interoperable Systems

DAIS 2012: Distributed Applications and Interoperable Systems pp 59–72Cite as

  1. Home
  2. Distributed Applications and Interoperable Systems
  3. Conference paper
Serene: Self-Reliant Client-Side Protection against Session Fixation

Serene: Self-Reliant Client-Side Protection against Session Fixation

  • Philippe De Ryck18,
  • Nick Nikiforakis18,
  • Lieven Desmet18,
  • Frank Piessens18 &
  • …
  • Wouter Joosen18 
  • Conference paper
  • 847 Accesses

  • 14 Citations

Part of the Lecture Notes in Computer Science book series (LNCCN,volume 7272)

Abstract

The web is the most wide-spread and de facto distributed platform, with a plethora of valuable applications and services. Building stateful services on the web requires a session mechanism that keeps track of server-side session state, such as authentication data. These sessions are an attractive attacker target, since taking over an authenticated session fully compromises the user’s account. This paper focuses on session fixation, where an attacker forces the user to use the attacker’s session, allowing the attacker to take over the session after authentication.

We present Serene, a self-reliant client-side countermeasure that protects the user from session fixation attacks, regardless of the security provisions – or lack thereof – of a web application. By specifically protecting session identifiers from fixation and not interfering with other cookies or parameters, Serene is able to autonomously protect a large majority of web applications, without being disruptive towards legitimate functionality. We experimentally validate these claims with a large scale study of Alexa’s top one million sites, illustrating both Serene’s large coverage (83.43%) and compatibility (95.55%).

Keywords

  • web applications
  • security
  • session fixation

This work incorporates contributions from KU Leuven master students Bram Bonné [4] and Joeri Ledegen. This research is partially funded by the Interuniversity Attraction Poles Programme Belgian State, Belgian Science Policy, IBBT, IWT, the Research Fund KU Leuven and the EU-funded FP7-projects WebSand and NESSoS.

Download conference paper PDF

References

  1. Aggarwal, G., Bursztein, E., Jackson, C., Boneh, D.: An analysis of private browsing modes in modern browsers. In: Proceedings of the 19th USENIX Conference on Security, p. 6. USENIX Association (2010)

    Google Scholar 

  2. Barth, A., Jackson, C., Mitchell, J.: Securing frame communication in browsers. Communications of the ACM 52(6), 83–91 (2009)

    CrossRef  Google Scholar 

  3. BBC. Privacy and cookies (2012), http://www.bbc.co.uk/privacy/

  4. Bonné, B.: Improving session security in web applications, http://research.edm.uhasselt.be/~bbonne/docs/Thesis.pdf

  5. Bortz, A., Barth, A., Czeskis, A.: Origin cookies: Session integrity for web applications (2011)

    Google Scholar 

  6. De Ryck, P., Desmet, L., Joosen, W., Piessens, F.: Automatic and Precise Client-Side Protection against CSRF Attacks. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 100–116. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  7. Delia Online. Cookies used on delia online (2012), http://www.deliaonline.com/home/delia-online-cookies.html

  8. Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable Protection Against Session Fixation Attacks. In: Proceedings of the 26th ACM Symposium on Applied Computing (SAC) (2011)

    Google Scholar 

  9. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330–337. ACM (2006)

    Google Scholar 

  10. Linhart, C., Klein, A., Heled, R., Orrin, S.: Http request smuggling. Computer Security Journal 22(1), 13 (2006)

    Google Scholar 

  11. Mayer, J., Narayanan, A.: Do not track - universal web tracking opt out (2011), http://donottrack.us/

  12. Microsoft Corporation. Tracking protection lists (2011), http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/

  13. Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: Lightweight Protection against Session Hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  14. Samuel, J.: Requestpolicy 0.5.20 (2011), http://www.requestpolicy.com

  15. Schrank, M., Braun, B., Johns, M., Posegga, J.: Session Fixation - the Forgotten Vulnerability?. In: Proceedings of the 5th Conference on ”Sicherheit, Schutz und Zuverlssigkeit” (GI Sicherheit 2010) (2010)

    Google Scholar 

  16. Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based applications automatically. In: Proceedings of the 8th ACM Conference on Computer and Communications Security (2011)

    Google Scholar 

  17. Ter Louw, M., Ganesh, K.T., Venkatakrishnan, V.N.: Adjail: Practical enforcement of confidentiality and integrity policies on web advertisements. In: 19th USENIX Security Symposium (2010)

    Google Scholar 

  18. Williams, J., Wichers, D.: Owasp top 10. OWASP Foundation (2010)

    Google Scholar 

  19. Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of 4th Web 2.0 Security and Privacy Workshop (W2SP 2010) (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBBT-DistriNet, KU Leuven, 3001, Leuven, Belgium

    Philippe De Ryck, Nick Nikiforakis, Lieven Desmet, Frank Piessens & Wouter Joosen

Authors
  1. Philippe De Ryck
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nick Nikiforakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lieven Desmet
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Frank Piessens
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of Information Systems, Vienna University of Technology, Argentinierstrasse 8/184-1, 1040, Vienna, Austria

    Karl Michael Göschka

  2. Swedish Institute of Computer Science, Isafjordsgatan 22, 164 29, Kista, Sweden

    Seif Haridi

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 IFIP International Federation for Information Processing

About this paper

Cite this paper

De Ryck, P., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W. (2012). Serene: Self-Reliant Client-Side Protection against Session Fixation. In: Göschka, K.M., Haridi, S. (eds) Distributed Applications and Interoperable Systems. DAIS 2012. Lecture Notes in Computer Science, vol 7272. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30823-9_5

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-30823-9_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-30822-2

  • Online ISBN: 978-3-642-30823-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature