Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
Securing frame communication in browsers
Communications of the ACM - One Laptop Per Child: Vision vs. Reality
An analysis of private browsing modes in modern browsers
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
AdJail: practical enforcement of confidentiality and integrity policies on web advertisements
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
SessionShield: lightweight protection against session hijacking
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Reliable protection against session fixation attacks
Proceedings of the 2011 ACM Symposium on Applied Computing
Automatic and precise client-side protection against CSRF attacks
ESORICS'11 Proceedings of the 16th European conference on Research in computer security
Fortifying web-based applications automatically
Proceedings of the 18th ACM conference on Computer and communications security
Quite a mess in my cookie jar!: leveraging machine learning to protect web authentication
Proceedings of the 23rd international conference on World wide web
Hi-index | 0.00 |
The web is the most wide-spread and de facto distributed platform, with a plethora of valuable applications and services. Building stateful services on the web requires a session mechanism that keeps track of server-side session state, such as authentication data. These sessions are an attractive attacker target, since taking over an authenticated session fully compromises the user's account. This paper focuses on session fixation, where an attacker forces the user to use the attacker's session, allowing the attacker to take over the session after authentication. We present Serene, a self-reliant client-side countermeasure that protects the user from session fixation attacks, regardless of the security provisions --- or lack thereof --- of a web application. By specifically protecting session identifiers from fixation and not interfering with other cookies or parameters, Serene is able to autonomously protect a large majority of web applications, without being disruptive towards legitimate functionality. We experimentally validate these claims with a large scale study of Alexa's top one million sites, illustrating both Serene's large coverage (83.43%) and compatibility (95.55%).