Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
End-to-end web application security
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Static detection of cross-site scripting vulnerabilities
Proceedings of the 30th international conference on Software engineering
Extensible Web Browser Security
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Modular string-sensitive permission analysis with demand-driven precision
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Regular expressions considered harmful in client-side XSS filters
Proceedings of the 19th international conference on World wide web
Tracking information flow in dynamic tree structures
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Dartmouth internet security testbed (DIST: building a campus-wide wireless testbed
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
xJS: practical XSS prevention for web application development
WebApps'10 Proceedings of the 2010 USENIX conference on Web application development
HProxy: client-side detection of SSL stripping attacks
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
CsFire: transparent client-side mitigation of malicious cross-domain requests
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Secure code generation for web applications
ESSoS'10 Proceedings of the Second international conference on Engineering Secure Software and Systems
Better security and privacy for web browsers: a survey of techniques, and a new implementation
FAST'11 Proceedings of the 8th international conference on Formal Aspects of Security and Trust
Serene: self-reliant client-side protection against session fixation
DAIS'12 Proceedings of the 12th IFIP WG 6.1 international conference on Distributed Applications and Interoperable Systems
FlowFox: a web browser with flexible and precise information flow control
Proceedings of the 2012 ACM conference on Computer and communications security
DEMACRO: defense against malicious cross-domain requests
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
BetterAuth: web authentication revisited
Proceedings of the 28th Annual Computer Security Applications Conference
PreparedJS: secure script-templates for javascript
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Quite a mess in my cookie jar!: leveraging machine learning to protect web authentication
Proceedings of the 23rd international conference on World wide web
| Hi-index | 0.00 |
The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website's operator. In consequence, if the operator fails to address XSS, the application's users are defenseless against session hijacking attacks. In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website's operator neglects to mitigate existing XSS problems. SessionShield is based on the observation that session identifier values are not used by legitimate clientside scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.