SessionShield: Lightweight protection against session hijacking

Nick Nikiforakis; Wannes Meert; Yves Younan; Martin Johns; Wouter Joosen

doi:10.1007/978-3-642-19125-1_7

SessionShield: Lightweight protection against session hijacking

Nick Nikiforakis
, Wannes Meert
, Yves Younan
, Martin Johns
, Wouter Joosen

Computer Science

KU Leuven
SAP Research

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

57 Scopus citations

Abstract

The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website's operator. In consequence, if the operator fails to address XSS, the application's users are defenseless against session hijacking attacks. In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website's operator neglects to mitigate existing XSS problems. SessionShield is based on the observation that session identifier values are not used by legitimate client-side scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.

Original language	English
Title of host publication	Engineering Secure Software and Systems - Third International Symposium, ESSoS 2011, Proceedings
Pages	87-100
Number of pages	14
DOIs	https://doi.org/10.1007/978-3-642-19125-1_7
State	Published - 2011
Event	3rd International Symposium on Engineering Secure Software and Systems, ESSoS 2011 - Madrid, Spain Duration: Feb 9 2011 → Feb 10 2011

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	6542 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	3rd International Symposium on Engineering Secure Software and Systems, ESSoS 2011
Country/Territory	Spain
City	Madrid
Period	02/9/11 → 02/10/11

Keywords

client-side proxy
http-only
session hijacking

Access to Document

10.1007/978-3-642-19125-1_7

Cite this

Nikiforakis, N., Meert, W., Younan, Y., Johns, M., & Joosen, W. (2011). SessionShield: Lightweight protection against session hijacking. In Engineering Secure Software and Systems - Third International Symposium, ESSoS 2011, Proceedings (pp. 87-100). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6542 LNCS). https://doi.org/10.1007/978-3-642-19125-1_7

Nikiforakis, Nick ; Meert, Wannes ; Younan, Yves et al. / SessionShield : Lightweight protection against session hijacking. Engineering Secure Software and Systems - Third International Symposium, ESSoS 2011, Proceedings. 2011. pp. 87-100 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{e0ecf28dcabf44d29f8553585bced773,

title = "SessionShield: Lightweight protection against session hijacking",

abstract = "The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website's operator. In consequence, if the operator fails to address XSS, the application's users are defenseless against session hijacking attacks. In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website's operator neglects to mitigate existing XSS problems. SessionShield is based on the observation that session identifier values are not used by legitimate client-side scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.",

keywords = "client-side proxy, http-only, session hijacking",

author = "Nick Nikiforakis and Wannes Meert and Yves Younan and Martin Johns and Wouter Joosen",

year = "2011",

doi = "10.1007/978-3-642-19125-1\_7",

language = "English",

isbn = "9783642191244",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "87--100",

booktitle = "Engineering Secure Software and Systems - Third International Symposium, ESSoS 2011, Proceedings",

note = "3rd International Symposium on Engineering Secure Software and Systems, ESSoS 2011 ; Conference date: 09-02-2011 Through 10-02-2011",

}

Nikiforakis, N, Meert, W, Younan, Y, Johns, M & Joosen, W 2011, SessionShield: Lightweight protection against session hijacking. in Engineering Secure Software and Systems - Third International Symposium, ESSoS 2011, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6542 LNCS, pp. 87-100, 3rd International Symposium on Engineering Secure Software and Systems, ESSoS 2011, Madrid, Spain, 02/9/11. https://doi.org/10.1007/978-3-642-19125-1_7

SessionShield: Lightweight protection against session hijacking. / Nikiforakis, Nick; Meert, Wannes; Younan, Yves et al.
Engineering Secure Software and Systems - Third International Symposium, ESSoS 2011, Proceedings. 2011. p. 87-100 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6542 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - SessionShield

T2 - 3rd International Symposium on Engineering Secure Software and Systems, ESSoS 2011

AU - Nikiforakis, Nick

AU - Meert, Wannes

AU - Younan, Yves

AU - Johns, Martin

AU - Joosen, Wouter

PY - 2011

Y1 - 2011

N2 - The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website's operator. In consequence, if the operator fails to address XSS, the application's users are defenseless against session hijacking attacks. In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website's operator neglects to mitigate existing XSS problems. SessionShield is based on the observation that session identifier values are not used by legitimate client-side scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.

AB - The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website's operator. In consequence, if the operator fails to address XSS, the application's users are defenseless against session hijacking attacks. In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website's operator neglects to mitigate existing XSS problems. SessionShield is based on the observation that session identifier values are not used by legitimate client-side scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.

KW - client-side proxy

KW - http-only

KW - session hijacking

UR - https://www.scopus.com/pages/publications/79551556871

U2 - 10.1007/978-3-642-19125-1_7

DO - 10.1007/978-3-642-19125-1_7

M3 - Conference contribution

AN - SCOPUS:79551556871

SN - 9783642191244

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 87

EP - 100

BT - Engineering Secure Software and Systems - Third International Symposium, ESSoS 2011, Proceedings

Y2 - 9 February 2011 through 10 February 2011

ER -

Nikiforakis N, Meert W, Younan Y, Johns M, Joosen W. SessionShield: Lightweight protection against session hijacking. In Engineering Secure Software and Systems - Third International Symposium, ESSoS 2011, Proceedings. 2011. p. 87-100. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-19125-1_7

SessionShield: Lightweight protection against session hijacking

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this