A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities

  • Bastian Braun
  • Stefan Kucher
  • Martin Johns
  • Joachim Posegga
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7449)


After the initial login, web browsers authenticate to web applications by sending the session credentials with every request. Several attacks exist which exploit conceptual deficiencies of this scheme, e.g. Cross-Site Request Forgery, Session Hijacking, Session Fixation, and Clickjacking. We analyze these attacks and identify their common root causes in the browser authentication scheme and the missing user context. These root causes allow the attacker to mislead the browser and misuse the user’s session context. Based on this result, we present a user authentication scheme that prohibits the exploitation of the analyzed vulnerabilities. Our mechanism works by binding image data to individual sessions and requiring submission of this data along with security-critical HTTP requests. This way, an attacker’s exploitation chances are limited to a theoretically arbitrary low probability to guess the correct session image.


Shared Secret Authentication Scheme User Authentication Scheme Attack Vector Graphical Password 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Using Hard AI Problems for Security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust Defenses for Cross-Site Request Forgery. In: CCS 2009 (2009)Google Scholar
  3. 3.
    Hardy, N.: The Confused Deputy (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 36–38 (1988)CrossRefGoogle Scholar
  4. 4.
    Johns, M.: SessionSafe: Implementing XSS Immune Session Handling. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 444–460. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable Protection Against Session Fixation Attacks. In: Proceedings of ACM SAC (2011)Google Scholar
  6. 6.
    Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: OWASP Europe 2006 (May 2006)Google Scholar
  7. 7.
    Jovanovic, N., Kruegel, C., Kirda, E.: Preventing cross site request forgery attacks. In: Proceedings of Securecomm 2006 (2006)Google Scholar
  8. 8.
    Kolsek, M.: Session Fixation Vulnerability in Web-based Applications. Whitepaper, Acros Security (December 2002),
  9. 9.
  10. 10.
    Mozilla. X-Frame-Options response header (May 20, 2011),
  11. 11.
    Mozilla. Csp (content security policy). Mozilla Developer Network (March 2009),
  12. 12.
    MSDN. Mitigating Cross-site Scripting With HTTP-only Cookies (June 08, 2012),
  13. 13.
    Niemietz, M.: UI Redressing: Attacks and Countermeasures Revisited. In: CONFidence 2011 (2011)Google Scholar
  14. 14.
    Hansen, R.: Clickjacking (May 20, 2011),
  15. 15.
    Hansen, R., Grossman, J.: Clickjacking (May 20, 2011),
  16. 16.
    Ruderman, J.: The Same Origin Policy (August 2001), (June 08, 2012)
  17. 17.
    De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. In: Proceedings of W2SP 2010 (2010)Google Scholar
  19. 19.
    Schrank, M., Braun, B., Johns, M., Posegga, J.: Session Fixation - the Forgotten Vulnerability? In: Proceedings of GI Sicherheit 2010 (2010)Google Scholar
  20. 20.
    W3C. HTML5 - The canvas element (September 24, 2011),
  21. 21.
    W3C. HTML5 - The iframe element (August 29, 2011),
  22. 22.
    Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of W2SP 2010 (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Bastian Braun
    • 1
  • Stefan Kucher
    • 1
  • Martin Johns
    • 2
  • Joachim Posegga
    • 1
  1. 1.Institute of IT-Security and Security Law (ISL)University of PassauGermany
  2. 2.SAP ResearchGermany

Personalised recommendations