Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the present paper we provide the first such result, by presenting a mechanized proof of noninterference assessing the robustness of the HttpOnly and Secure cookie flags against both web and network attackers with the ability to perform arbitrary XSS code injection. We then develop CookiExt, a browser extension that provides client-side protection against session hijacking, based on appropriate flagging of session cookies and automatic redirection over HTTPS for HTTP requests carrying these cookies. Our solution improves over existing client-side defenses by combining protection against both web and network attacks, while at the same time being designed so as to minimise its effects on the user’s browsing experience. Finally, we report on the experiments we carried out to practically evaluate the effectiveness of our approach.
D.Akhawe, A.Barth, P.E.Lam, J.C.Mitchell and D.Song, Towards a formal foundation of web security, in: IEEE Computer Security Foundations Symposium (CSF), 2010, pp. 290–304.
2.
D.Balzarotti, M.Cova, V.Felmetsger, N.Jovanovic, E.Kirda, C.Kruegel and G.Vigna, Saner: Composing static and dynamic analysis to validate sanitization in web applications, in: IEEE Symposium on Security and Privacy, 2008, pp. 387–401.
3.
C.Bansal, K.Bhargavan and S.Maffeis, Discovering concrete attacks on website authorization by formal analysis, in: IEEE Computer Security Foundations Symposium (CSF), 2012, pp. 247–262.
4.
A.Barth, HTTP state management mechanism, available at: http://tools.ietf.org/html/rfc6265 [accessible on August 2014].
5.
A.Barth, A.P.Felt, P.Saxena and A.Boodman, Protecting browsers from extension vulnerabilities, in: Network and Distributed System Security (NDSS), 2010.
6.
N.Bielova, D.Devriese, F.Massacci and F.Piessens, Reactive non-interference for a browser model, in: IEEE International Conference on Network and System Security (NSS), 2011, pp. 97–104.
7.
A.Bohannon, Foundations of web script security, PhD thesis, University of Pennsylvania, 2012.
8.
A.Bohannon and B.C.Pierce, Featherweight Firefox: Formalizing the core of a web browser, in: USENIX Conference on Web Application Development (WebApps), 2010, pp. 1–12.
9.
A.Bohannon, B.C.Pierce, V.Sjöberg, S.Weirich and S.Zdancewic, Reactive noninterference, in: ACM Conference on Computer and Communications Security (CCS), 2009, pp. 79–90.
10.
A.Bortz, A.Barth and A.Czeskis, Origin cookies: Session integrity for web applications, in: Web 2.0 Security & Privacy (W2SP), 2011.
11.
M.Bugliesi, S.Calzavara, R.Focardi and W.Khan, Automatic and robust client-side protection for cookie-based sessions, in: Engineering Secure Software and Systems (ESSoS), 2014, pp. 161–178.
12.
M.Bugliesi, S.Calzavara, R.Focardi, W.Khan and M.Tempesta, Provably sound browser-based enforcement of web session integrity, in: IEEE Computer Security Foundations Symposium (CSF), 2014, pp. 366–380.
13.
S.Calzavara, G.Tolomei, M.Bugliesi and S.Orlando, Quite a mess in my cookie jar! Leveraging machine learning to protect web authentication, in: International Conference on World Wide Web (WWW), 2014, pp. 189–200.
14.
P.Chen, N.Nikiforakis, L.Desmet and C.Huygens, A dangerous mix: Large-scale analysis of mixed-content websites, in: Information Security Conference (ISC), 2013.
15.
I.Dacosta, S.Chakradeo, M.Ahamad and P.Traynor, One-time cookies: Preventing session hijacking attacks with stateless authentication tokens, ACM Transactions on Internet Technology12(1) (2012), 1.
16.
W.De Groef, D.Devriese, N.Nikiforakis and F.Piessens, FlowFox: A web browser with flexible and precise information flow control, in: ACM Conference on Computer and Communications Security (CCS), 2012, pp. 748–759.
17.
P.De Ryck, L.Desmet, T.Heyman, F.Piessens and W.J.Csfire, Transparent client-side mitigation of malicious cross-domain requests, in: Engineering Secure Software and Systems (ESSoS), 2010, pp. 18–34.
18.
P.De Ryck, L.Desmet, W.Joosen and F.Piessens, Automatic and precise client-side protection against CSRF attacks, in: European Symposium on Research in Computer Security (ESORICS), 2011, pp. 100–116.
19.
P.De Ryck, N.Nikiforakis, L.Desmet, F.Piessens and W.Joosen, Serene: Self-reliant client-side protection against session fixation, in: Distributed Applications and Interoperable Systems (DAIS), 2012, pp. 59–72.
20.
M.Dietz, A.Czeskis, D.Balfanz and D.S.Wallach, Origin-bound certificates: A fresh approach to strong client authentication for the web, in: USENIX Security Symposium, 2012, pp. 317–331.
21.
S.Fogie, J.Grossman, R.Hansen, A.Rager and P.D.Petkov, XSS Attacks: Cross Site Scripting Exploits and Defense, Syngress Publishing, 2007.
22.
W.F.Friedman, The Index of Coincidence and Its Applications to Cryptanalysis, Cryptographic Series, 1922.
23.
C.Jackson and A.Barth, ForceHTTPS: Protecting high-security web sites from network attacks, in: International Conference on World Wide Web (WWW), 2008, pp. 525–534.
24.
M.Johns, B.Braun, M.Schrank and J.Posegga, Reliable protection against session fixation attacks, in: ACM Symposium on Applied Computing (SAC), 2011, pp. 1531–1537.
25.
M.Johns, S.Lekies, B.Braun and B.Flesch, BetterAuth: Web authentication revisited, in: Annual Computer Security Applications Conference (ACSAC), 2012, pp. 169–178.
26.
W.Khan, S.Calzavara, M.Bugliesi, W.De Groef and F.Piessens, Client side web session integrity as a non-interference property, in: International Conference on Information and Systems Security (ICISS), 2014, pp. 89–108.
27.
E.Kirda, C.Krügel, G.Vigna and N.Jovanovic, Noxes: A client-side solution for mitigating cross-site scripting attacks, in: ACM Symposium on Applied Computing (SAC), 2006, pp. 330–337.
28.
A.X.Liu, J.M.Kovacs and M.G.Gouda, A secure cookie scheme, Computer Networks56(6) (2012), 1723–1730.
29.
Z.Mao, N.Li and I.Molloy, Defeating cross-site request forgery attacks with browser-enforced authenticity protection, in: Financial Cryptography (FC), 2009, pp. 238–255.
30.
N.Nikiforakis, W.Meert, Y.Younan, M.Johns and W.Joosen, SessionShield: Lightweight protection against session hijacking, in: Engineering Secure Software and Systems (ESSoS), 2011, pp. 87–100.
31.
Open Web Application Security Project, Top 10 web application security threats, available at: https://www.owasp.org/index.php/Top_10_2013-Top_10 [accessible on August 2014].
32.
PHP Manual, The strip_tags function, available at: http://php.net/manual/en/function.strip-tags.php [accessible on November 2014].
33.
S.Tang, N.Dautenhahn and S.T.King, Fortifying web-based applications automatically, in: ACM Conference on Computer and Communications Security (CCS), 2011, pp. 615–626.
34.
Tor Project and the Electronic Frontier Foundation, HTTPS Everywhere. Available at: https://www.eff.org/https-everywhere [accessible on August 2014].
