Testing for Integrity Flaws in Web Sessions

Web sessions are fragile and can be attacked at many different levels. Classic attacks like session hijacking, session fixation and cross-site request forgery are particularly dangerous for web session security, because they allow the attacker to breach the integrity of honest users’ sessions by forging requests which get authenticated on the victim’s behalf. In this paper, we systematize current countermeasures against these attacks and the shortcomings thereof, which may completely void protection under specific assumptions on the attacker’s capabilities. We then build on our security analysis to introduce black-box testing strategies to discover insecure session implementation practices on existing websites, which we implement in a browser extension called Dredd. Finally, we use Dredd to assess the security of 20 popular websites from Alexa, exposing a number of session integrity flaws

Testing for Integrity Flaws in Web Sessions

Web sessions are fragile and can be attacked at many different levels. Classic attacks like session hijacking, session fixation and cross-site request forgery are particularly dangerous for web session security, because they allow the attacker to breach the integrity of honest users’ sessions by forging requests which get authenticated on the victim’s behalf. In this paper, we systematize current countermeasures against these attacks and the shortcomings thereof, which may completely void protection under specific assumptions on the attacker’s capabilities. We then build on our security analysis to introduce black-box testing strategies to discover insecure session implementation practices on existing websites, which we implement in a browser extension called Dredd. Finally, we use Dredd to assess the security of 20 popular websites from Alexa, exposing a number of session integrity flaws