ABSTRACT
Modern websites use multiple authentication cookies to allow visitors to the site different levels of access. The complexity of modern web applications can make it difficult for a web application programmer to ensure that the use of authentication cookies does not introduce vulnerabilities. Even when a programmer has access to all of the source code, this analysis can be challenging; the problem becomes even more vexing when web programmers cobble together off-the-shelf libraries to implement authentication. We have assembled a checklist for modern web programmers to verify that the cookie based authentication mechanism is securely implemented. Then, we developed a tool, Newton, to help a web application programmer to identify authentication cookies for specific parts of the website and to verify that they are securely implemented according to the checklist. We used Newton to analyze 149 sites, including the Alexa top-200 and many other popular sites across a range of categories including search, shopping, and finance. We found that 113 of them---including high-profile sites such as Yahoo, Amazon, and Fidelity---were vulnerable to hijacking attacks. Many websites have already acknowledged and fixed the vulnerabilities that we found using Newton and reported to them.
- R. Agrawal and R. Srikant. Fast algorithms for mining association rules in large databases. In Proceedings of the 20th International Conference on Very Large Data Bases, VLDB '94, pages 487--499, San Francisco, CA, USA, 1994. Morgan Kaufmann Publishers Inc. Google ScholarDigital Library
- Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass. Ars Technica. http://goo.gl/B1qLF7, May 2014.Google Scholar
- D. Atkins and R. Austein. Threat Analysis of the Domain Name System (DNS). Internet Engineering Task Force, Aug. 2004. RFC 3833.Google ScholarCross Ref
- A. Barth. The Web Origin Concept. Internet Engineering Task Force, Dec. 2011. RFC 6454.Google ScholarCross Ref
- Bigcommerce: Ecommerce Software & Shopping Cart. https://www.bigcommerce.com/,.Google Scholar
- M. Bugliesi, S. Calzavara, R. Focardi, and W. Khan. Automatic and robust client-side protection for cookie-based sessions. In International Symposium on Engineering Secure Software and Systems. ESSoS'14, 2014. Google ScholarDigital Library
- E. Butler. A Firefox extension that demonstrates HTTP session hijacking attacks. http://codebutler.github.io/firesheep/, 2010.Google Scholar
- S. Calzavara, G. Tolomei, M. Bugliesi, and S. Orlando. Quite a mess in my cookie jar!: Leveraging machine learning to protect web authentication. In Proceedings of the 23rd International Conference on World Wide Web, 2014. Google ScholarDigital Library
- P. De Ryck, N. Nikiforakis, L. Desmet, F. Piessens, and W. Joosen. Serene: Self-reliant client-side protection against session fixation. In Proceedings of the 12th IFIP WG 6.1 International Conference on Distributed Applications and Interoperable Systems, DAIS'12, pages 59--72, Berlin, Heidelberg, 2012. Springer-Verlag. Google ScholarDigital Library
- R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hyptertext Transfer Protocol -- HTTP/1.1. Internet Engineering Task Force, June 1999. RFC 2616. Google ScholarDigital Library
- K. Fu, E. Sit, K. Smith, and N. Feamster. Dos and don'ts of client authentication on the Web. In Proc. 10th USENIX Security Symposium, Washington, DC, Aug. 2001. Google ScholarDigital Library
- Hamster. https://github.com/robertdavidgraham/hamster, Retrieved Feb. 2015.Google Scholar
- J. Hodges, C. Jackson, and A. Barth. HTTP Strict Transport Security (HSTS). Internet Engineering Task Force, Nov. 2012. RFC 6797.Google ScholarCross Ref
- HttpOnly. https://www.owasp.org/index.php/HttpOnly, Retrieved Feb. 2015.Google Scholar
- C. Jackson and A. Barth. Forcehttps: Protecting high-security web sites from network attacks. In Proceedings of the 17th International Conference on World Wide Web, WWW '08, pages 525--534, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- M. Kranch and J. Bonneau. Upgrading https in midair: Hsts and key pinning in practice. In NDSS '15: The 2015 Network and Distributed System Security Symposium, February 2015.Google Scholar
- Magento: Ecommerce Software & Ecommerce Platform. http://magento.com/, Retrieved Feb. 2015.Google Scholar
- Nbtool. https://wiki.skullsecurity.org/Nbtool.Google Scholar
- Newton: Detailed Evaluation. https://goo.gl/Rj7Vvw.Google Scholar
- N. Nikiforakis, W. Meert, Y. Younan, M. Johns, and W. Joosen. Sessionshield: Lightweight protection against session hijacking. In Proceedings of the Third International Conference on Engineering Secure Software and Systems, ESSoS'11, pages 87--100, Berlin, Heidelberg, 2011. Springer-Verlag. Google ScholarDigital Library
- OWASP. OWASP Top 10 Application Security Risks - 2010. https://www.owasp.org/index.php/Top_10_2010-Main, 2010.Google Scholar
- Appu: FPI examples. https://goo.gl/qcllbR.Google Scholar
- OWASP: Double Submit Cookies. http://goo.gl/qmW7o5, Retrieved Feb. 2015.Google Scholar
- Testing for cookies attributes. https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002), Retrieved Feb. 2015.Google Scholar
- F. Roesner, T. Kohno, and D. Wetherall. Detecting and defending against third-party tracking on the web. In 9th USENIX Symposium on Networked Systems Design and Implementation. NSDI 2012, 2012. Google ScholarDigital Library
- Seclist Advisory: Weak RNG in PHP session ID generation leads to session hijacking. http://seclists.org/fulldisclosure/2010/Mar/519, Retrieved Feb. 2015.Google Scholar
- Selenium Web application testing system. http://www.seleniumhq.org.Google Scholar
- Session hijacking attack. https://www.owasp.org/index.php/Session_hijacking_attack, Retrieved Feb. 2015.Google Scholar
- SSL Pulse: Survey of the SSL Implementation of the Most Popular Web Sites. https://www.trustworthyinternet.org/ssl-pulse/, Retrieved on Nov, 2014.Google Scholar
- S. Tang, N. Dautenhahn, and S. T. King. Fortifying web-based applications automatically. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, pages 615--626, New York, NY, USA, 2011. ACM. Google ScholarDigital Library
- Volusion Ecommerce Software & Shopping Cart Solutions. http://www.volusion.com/, Retrieved Feb. 2015.Google Scholar
- R. J. Walls, S. S. Clark, and B. N. Levine. Functional privacy or why cookies are better with milk. In Proceedings of the 7th USENIX Workshop on Hot Topics in Security, HotSec '12, Bellevue, WA, Aug. 2012. Google ScholarDigital Library
- WooCommerce - a free eCommerce toolkit for WordPress. http://www.woothemes.com/woocommerce/,.Google Scholar
- X. Zheng, J. Jiang, J. Liang, H. Duan, S. Chen, T. Wan, and N. Weaver. Cookies lack integrity: Real-world implications. In Proceedings of the 24th USENIX Conference on Security Symposium, SEC'15, pages 707--721, Berkeley, CA, USA, 2015. USENIX Association. Google ScholarDigital Library
Index Terms
- Half-Baked Cookies: Hardening Cookie-Based Authentication for the Modern Web
Recommendations
One-time cookies: Preventing session hijacking attacks with stateless authentication tokens
HTTP cookies are the de facto mechanism for session authentication in Web applications. However, their inherent security weaknesses allow attacks against the integrity of Web sessions. HTTPS is often recommended to protect cookies, but deploying full ...
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
SP '09: Proceedings of the 2009 30th IEEE Symposium on Security and PrivacyAs social networking sites proliferate across the World Wide Web, complex user-created HTML content is rapidly becoming the norm rather than the exception.User-created web content is a notorious vector for cross-site scripting (XSS) attacks that target ...
Comments