Since cookies act as the only proof of a user identity, web sessions are particularly vulnerable to session hijacking attacks, where the browser run by a given user sends requests associated to the identity of another user. When cookies are used to implement a session, there might actually be n sub-sessions running at the same website, where each cookie is used to retrieve part of the state information related to the session. Sub-session hijacking breaks the ideal view of the existence of a unique user session by selectively hijacking m sub-sessions, with . This may reduce the security of the session to the security of its weakest sub-session. In this paper, we take a systematic look at the root causes of sub-session hijacking attacks and we introduce sub-session linking as a possible defense mechanism. Out of two flavors of sub-session linking desirable for security, which we call intra-scope and inter-scope sub-session linking respectively, only the former is relatively smooth to implement. Luckily, we also identify programming practices to void the need for inter-scope sub-session linking. We finally present Warden, a server-side proxy which automatically enforces intra-scope sub-session linking on incoming HTTP(S) requests, and we evaluate it in terms of protection, performances, backward compatibility and ease of deployment.
B.Adida, Sessionlock: Securing web sessions against eavesdropping, in: Proceedings of the 17th International Conference on World Wide Web, WWW 2008, Beijing, China, April 21–25, 2008, 2008, pp. 517–524.
2.
A.Barth, HTTP State Management Mechanism, 2011.
3.
A.Barth, C.Jackson and J.C.Mitchell, Robust defenses for cross-site request forgery, in: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, 2008, pp. 75–88.
4.
A.Bortz, A.Barth and A.Czeskis, Origin cookies: Session integrity for web applications, in: Web 2.0 Security & Privacy Workshop (W2SP 2011), 2011.
5.
M.Bugliesi, S.Calzavara and R.Focardi, Formal methods for web security, Journal of Logical and Algebraic Methods in Programming (2017).
6.
M.Bugliesi, S.Calzavara, R.Focardi and W.Khan, CookiExt: Patching the browser against session hijacking attacks, Journal of Computer Security23(4) (2015), 509–537. doi:10.3233/JCS-150529.
7.
M.Bugliesi, S.Calzavara, R.Focardi, W.Khan and M.Tempesta, Provably sound browser-based enforcement of web session integrity, in: Proceedings of the IEEE 27th Computer Security Foundations Symposium, CSF 2014, 2014, pp. 366–380.
8.
A.Cahn, S.Alfeld, P.Barford and S.Muthukrishnan, An empirical study of web cookies, in: Proceedings of the 25th International Conference on World Wide Web, WWW 2016, Montreal, Canada, April 11–15, 2016, 2016, pp. 891–901. doi:10.1145/2872427.2882991.
9.
S.Calzavara, R.Focardi, N.Grimm and M.Maffei, Micro-policies for web session security, in: IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June27–July 1, 2016.
10.
S.Calzavara, R.Focardi, M.Squarcina and M.Tempesta, Surviving the web: A journey into web session security, ACM Computing Surveys (2017).
11.
S.Calzavara, A.Rabitti and M.Bugliesi, Dr cookie and mr token – Web session implementations and how to live with them, in: Proceedings of the Second Italian Conference on Cyber Security, Milan, Italy, February 6th–to–9th, 2018, 2018.
12.
S.Calzavara, G.Tolomei, A.Casini, M.Bugliesi and S.Orlando, A supervised learning approach to protect client authentication on the web, TWEB9(3) (2015), 15:1–15:30. doi:10.1145/2754933.
13.
Chromium Security Team, Marking HTTP As Non-Secure, 2016.
14.
I.Dacosta, S.Chakradeo, M.Ahamad and P.Traynor, One-time cookies: Preventing session hijacking attacks with stateless authentication tokens, ACM Transactions on Internet Technology12(1) (2012), 1–24. doi:10.1145/2220352.2220353.
15.
M.Dietz, A.Czeskis, D.Balfanz and D.S.Wallach, Origin-bound certificates: A fresh approach to strong client authentication for the web, in: Proceedings of the 21th USENIX Security Symposium, USENIX 2012, 2012, pp. 317–331.
16.
K.Fu, E.Sit, K.Smith and N.Feamster, The dos and don’ts of client authentication on the web, in: 10th USENIX Security Symposium, Washington, D.C., USA, August 13–17, 2001, 2001.
17.
P.A.Hallgren, D.T.Mauritzson and A.Sabelfeld, GlassTube: A lightweight approach to web application integrity, in: Proceedings of the 2013 ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, PLAS 2013, 2013, pp. 71–82.
18.
J.Hodges, C.Jackson and A.Barth, HTTP Strict Transport Security (HSTS), 2012.
19.
M.Johns, B.Braun, M.Schrank and J.Posegga, Reliable protection against session fixation attacks, in: Proceedings of the 26th ACM Symposium on Applied Computing, SAC 2011, 2011, pp. 1531–1537.
20.
M.Kranch and J.Bonneau, Upgrading HTTPS in mid-air: An empirical study of strict transport security and key pinning, in: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, 2015 pp. 8–11.
21.
A.X.Liu, J.M.Kovacs and M.G.Gouda, A secure cookie scheme, Computer Networks56(6) (2012), 1723–1730. doi:10.1016/j.comnet.2012.01.013.
22.
Y.Mundada, N.Feamster and B.Krishnamurthy, Half-baked cookies: Hardening cookie-based authentication for the modern web, in: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi’an, China, May 30–June 3, 2016, 2016, pp. 675–685.
23.
N.Nikiforakis, W.Meert, Y.Younan, M.Johns and W.Joosen, SessionShield: Lightweight protection against session hijacking, in: Proceedings of the 3rd International Symposium on Engineering Secure Software and Systems, ESSoS 2011, 2011, pp. 87–100.
24.
OWASP, Top 10 Security Threats, 2017.
25.
F.Roesner, T.Kohno and D.Wetherall, Detecting and defending against third-party tracking on the web, in: Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2012, San Jose, CA, USA, April 25–27, 2012, 2012, pp. 155–168.
26.
K.Singh, A.Moshchuk, H.J.Wang and W.Lee, On the incoherencies in web browser access control policies, in: 31st IEEE Symposium on Security and Privacy, S&P 2010, Berleley/Oakland, California, USA, 16–19 May 2010, 2010, pp. 463–478. doi:10.1109/SP.2010.35.
27.
S.Sivakorn, A.D.Keromytis and J.Polakis, That’s the way the cookie crumbles: Evaluating HTTPS enforcing mechanisms, in: Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society, WPES@CCS 2016, Vienna, Austria, October 24–28, 2016, 2016, pp. 71–81. doi:10.1145/2994620.2994638.
28.
S.Sivakorn, I.Polakis and A.D.Keromytis, The cracked cookie jar: HTTP cookie hijacking and the exposure of private information, in: IEEE Symposium on Security and Privacy, SP 2016, San Jose, CA, USA, May 22–26, 2016, 2016, pp. 724–742.
29.
S.Tang, N.Dautenhahn and S.T.King, Fortifying web-based applications automatically, in: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, 2011, pp. 615–626.
30.
X.Zheng, J.Jiang, J.Liang, H.Duan, S.Chen, T.Wan and N.Weaver, Cookies lack integrity: Real-world implications, in: Proceedings of the 24th USENIX Security Symposium, USENIX 2015, 2015, pp. 707–721.
