Prevent Session Hijacking by Binding the Session to the Cryptographic Network Credentials

  • Willem Burgers
  • Roel Verdult
  • Marko van Eekelen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8208)

Abstract

Many cyber-physical applications are responsible for safety critical or business critical infrastructure. Such applications are often controlled through a web interface. They manage sensitive databases, drive important SCADA systems or represent imperative business processes. A vast majority of such web applications are well-known to be vulnerable to a number of exploits. The focus of this paper is on the vulnerability of session stealing, also called session hijacking. We developed a novel method to prevent session stealing in general. The key idea of the method is binding the securely negotiated communication channel to the application user authentication. For this we introduce a server side reverse proxy which runs independently from the client and server software. The proposed method wraps around the deployed infrastructure and requires no alterations to existing software. This paper discusses the technical encryption issues involved with employing this method. We describe a prototype implementation and motivate the technical choices made. Furthermore, the prototype is validated by applying it to secure the particularly vulnerable Blackboard Learn system, which is a important and critical infrastructural application for our university. We concretely demonstrate how to protect this system against session stealing. Finally, we discuss the application areas of this new method.

Keywords and Phrases

software security web applications cross site scripting session stealing session hijacking 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Burgers, W.: Session proxy, a prevention method for session hijacking in blackboard. bachelor thesis, Institute for Computing and Information Sciences, Radboud University Nijmegen, The Netherlands. Bachelors Thesis (July 2012)Google Scholar
  2. 2.
    Chen, C., Mitchell, C.J., Tang, S.: SSL/TLS session-aware user authentication using a GAA bootstrapped key. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 54–68. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Duong, T., Rizzo, J.: Here come the XOR Ninjas. White paper, Netifera (May 2011)Google Scholar
  4. 4.
    van Eekelen, M., Moussa, R.B., Hubbers, E., Verdult, R.: Blackboard Security Assessment. Technical Report ICIS–R13004, Radboud University Nijmegen (April 2013)Google Scholar
  5. 5.
    Blackboard Inc. Release notes for blackboard learn 9.0 service pack 7 (9.0.692.0). Behind the Blackboard for System Administrators & Developers (2011)Google Scholar
  6. 6.
    Blackboard Inc. Release notes for blackboard learn 9.1 service pack 8 (9.1.82223.0). Behind the Blackboard for System Administrators & Developers (2012)Google Scholar
  7. 7.
    Johns, M.: SessionSafe: Implementing XSS immune session handling. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 444–460. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Kelsey, J.: Compression and information leakage of plaintext. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 263–276. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Kim, H.: Security and Vulnerability of SCADA Systems over IP-Based Wireless Sensor Networks. International Journal of Distributed Sensor Networks, Article ID 268478 (2012)Google Scholar
  10. 10.
    Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: Lightweight Protection against Session Hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Oppliger, R., Hauser, R., Basin, D.: SSL/TLS session-aware user authentication – or how to effectively thwart the man-in-the-middle. Computer Communications 29(12), 2238–2246 (2006)CrossRefGoogle Scholar
  12. 12.
    Prins, M., Abma, J.: Security research blackboard academic suite Online 24 (2010), https://www.online24.nl/blackboard-security-research
  13. 13.
    Utakrit, N.: Review of browser extensions, a man-in-the-browser phishing techniques targeting bank customers (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Willem Burgers
    • 1
  • Roel Verdult
    • 1
  • Marko van Eekelen
    • 1
    • 2
  1. 1.Institute for Computing and Information SciencesRadboud University NijmegenThe Netherlands
  2. 2.School of Computer ScienceOpen University of The NetherlandsThe Netherlands

Personalised recommendations