A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities

  • Bastian Braun
  • Stefan Kucher
  • Martin Johns
  • Joachim Posegga
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7449)

Abstract

After the initial login, web browsers authenticate to web applications by sending the session credentials with every request. Several attacks exist which exploit conceptual deficiencies of this scheme, e.g. Cross-Site Request Forgery, Session Hijacking, Session Fixation, and Clickjacking. We analyze these attacks and identify their common root causes in the browser authentication scheme and the missing user context. These root causes allow the attacker to mislead the browser and misuse the user’s session context. Based on this result, we present a user authentication scheme that prohibits the exploitation of the analyzed vulnerabilities. Our mechanism works by binding image data to individual sessions and requiring submission of this data along with security-critical HTTP requests. This way, an attacker’s exploitation chances are limited to a theoretically arbitrary low probability to guess the correct session image.

Keywords

Shared Secret Authentication Scheme User Authentication Scheme Attack Vector Graphical Password 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Using Hard AI Problems for Security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust Defenses for Cross-Site Request Forgery. In: CCS 2009 (2009)Google Scholar
  3. 3.
    Hardy, N.: The Confused Deputy (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 36–38 (1988)CrossRefGoogle Scholar
  4. 4.
    Johns, M.: SessionSafe: Implementing XSS Immune Session Handling. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 444–460. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Johns, M., Braun, B., Schrank, M., Posegga, J.: Reliable Protection Against Session Fixation Attacks. In: Proceedings of ACM SAC (2011)Google Scholar
  6. 6.
    Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: OWASP Europe 2006 (May 2006)Google Scholar
  7. 7.
    Jovanovic, N., Kruegel, C., Kirda, E.: Preventing cross site request forgery attacks. In: Proceedings of Securecomm 2006 (2006)Google Scholar
  8. 8.
    Kolsek, M.: Session Fixation Vulnerability in Web-based Applications. Whitepaper, Acros Security (December 2002), http://www.acrossecurity.com/papers/session_fixation.pdf
  9. 9.
  10. 10.
    Mozilla. X-Frame-Options response header (May 20, 2011), https://developer.mozilla.org/en/the_x-frame-options_response_header
  11. 11.
    Mozilla. Csp (content security policy). Mozilla Developer Network (March 2009), https://developer.mozilla.org/en/Security/CSP
  12. 12.
    MSDN. Mitigating Cross-site Scripting With HTTP-only Cookies (June 08, 2012), http://msdn.microsoft.com/en-us/library/ms533046VS.85.aspx
  13. 13.
    Niemietz, M.: UI Redressing: Attacks and Countermeasures Revisited. In: CONFidence 2011 (2011)Google Scholar
  14. 14.
    Hansen, R.: Clickjacking (May 20, 2011), http://ha.ckers.org/blog/20080915/clickjacking/
  15. 15.
    Hansen, R., Grossman, J.: Clickjacking (May 20, 2011), http://www.sectheory.com/clickjacking.htm
  16. 16.
    Ruderman, J.: The Same Origin Policy (August 2001), https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript (June 08, 2012)
  17. 17.
    De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. In: Proceedings of W2SP 2010 (2010)Google Scholar
  19. 19.
    Schrank, M., Braun, B., Johns, M., Posegga, J.: Session Fixation - the Forgotten Vulnerability? In: Proceedings of GI Sicherheit 2010 (2010)Google Scholar
  20. 20.
    W3C. HTML5 - The canvas element (September 24, 2011), http://www.w3.org/TR/html5/the-canvas-element.html
  21. 21.
    W3C. HTML5 - The iframe element (August 29, 2011), http://www.w3.org/TR/html5/the-iframe-element.html#the-iframe-element
  22. 22.
    Zhou, Y., Evans, D.: Why Aren’t HTTP-only Cookies More Widely Deployed? In: Proceedings of W2SP 2010 (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Bastian Braun
    • 1
  • Stefan Kucher
    • 1
  • Martin Johns
    • 2
  • Joachim Posegga
    • 1
  1. 1.Institute of IT-Security and Security Law (ISL)University of PassauGermany
  2. 2.SAP ResearchGermany

Personalised recommendations