research-article

Sessionlock: securing web sessions against eavesdropping

Author:

Ben AdidaAuthors Info & Claims

WWW '08: Proceedings of the 17th international conference on World Wide Web

Pages 517 - 524

https://doi.org/10.1145/1367497.1367568

Published: 21 April 2008 Publication History

Abstract

Typical web sessions can be hijacked easily by a network eavesdropper in attacks that have come to be designated "sidejacking." The rise of ubiquitous wireless networks, often unprotected at the transport layer, has significantly aggravated this problem. While SSL can protect against eavesdropping, its usability disadvantages often make it unsuitable when the data is not considered highly confidential. Most web-based email services, for example, use SSL only on their login page and are thus vulnerable to sidejacking.

We propose SessionLock, a simple approach to securing web sessions against eavesdropping without extending the use of SSL. SessionLock is easily implemented by web developers using only JavaScript and simple server-side logic. Its performance impact is negligible, and all major web browsers are supported. Interestingly, it is particularly easy to implement on single-page AJAX web applications, e.g. Gmail or Yahoo mail, with approximately 200 lines of JavaScript and 60 lines of server-side verification code.

References

[1]

Ben Adida. BeamAuth: Two-Factor Web Authentication with a Bookmark. In Fourteenth ACM Conference on Computer and Communications Security (CCS 2007), November 2007.

Digital Library

[2]

Apache Software Foundation. SSL/TLS Strong Encryption FAQ - Apache HTTP Server. http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2 last viewed on 1 November 2007.

[3]

T. Berners-Lee, R. Fielding, and L. Masinter. Uniform Resource Identifier (URI): General Syntax, January 2005. http://www.ietf.org/rfc/rfc3986.txt.

[4]

S. Blake-Wilson, M. Nystrom, D. Hopwood, J. Mikkelsen, and T. Wright. Transport Layer Security (TLS) Extensions. http://www.ietf.org/rfc/rfc3546.txt.

Digital Library

[5]

Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644--654, 1976.

Digital Library

[6]

R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transport Protocol - HTTP/1.1, 1999. http://www.ietf.org/rfc/rfc2616.txt.

Digital Library

[7]

J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, and L. Stewart. HTTP Authentication: Basic and Digest Access Authentication, June 1999. http://www.ietf.org/rfc/rfc2617.txt.

Digital Library

[8]

Jesse James Garrett. Ajax: A New Approach to Web Applications, February 2005. http://www.adaptivepath.com/publications/essays/archives/000385.php.

[9]

Robert Graham. Sidejacking with Hamster, August 2007. http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html.

[10]

R. Canetti H. Krawczyk, M. Bellare. Hmac: Keyed-hashing for message authentication, February 1997. http://tools.ietf.org/html/rfc2104.

Digital Library

[11]

Ian Hickson and David Hyatt. Html 5. http://www.w3.org/html/wg/html5/.

[12]

Collin Jackson and Helen Wang. Subspace: Secure Cross-Domain Communication for Web Mashups. In Proceedings of the 16th international conference on World Wide Web (WWW 2007), Banff, Canada, 2007.

Digital Library

[13]

Paul Johnston. A JavaScript implementation of the Secure Hash Algorithm. http://pajhome.org.uk/crypt/md5.

[14]

JotSpot. DojoDotBook. http://manual.dojotoolkit.org/WikiHome/DojoDotBook/Book0.

[15]

Ari Juels, Markus Jakobsson, and Tom N. Jagatic. Cache cookies for browser authentication (extended abstract). In S&P, pages 301--305. IEEE Computer Society, 2006.

Digital Library

[16]

Message Authentication Code. http://en.wikipedia.org/wiki/Message_authentication_code.

[17]

Eric A. Meyer. S5: A Simple Standards-Based Slide Show System. http://meyerweb.com/eric/tools/s5/, last viewed on October 26th, 2006.

[18]

Bill Venners. HTTP Authentication Woes, April 2006. http://www.artima.com/weblogs/viewpost.jsp?thread=155252, last visited on October 31st 2007.

[19]

Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding Collisions in the Full SHA-1. In Victor Shoup, editor, CRYPTO, volume 3621 of Lecture Notes in Computer Science, pages 17--36. Springer, 2005.

Digital Library

Cited By

Altulaihan EAlismail AFrikha M(2023)A Survey on Web Application Penetration TestingElectronics10.3390/electronics1205122912:5(1229)Online publication date: 4-Mar-2023
https://doi.org/10.3390/electronics12051229
Ali YAhmed ODiab MSayed MAbd Elaziz MAboshosha B(2023)Blockchain-Based Online E-voting System2023 International Conference on Smart Computing and Application (ICSCA)10.1109/ICSCA57840.2023.10087767(1-8)Online publication date: 5-Feb-2023
https://doi.org/10.1109/ICSCA57840.2023.10087767
Belen ARigor TOng Dde Guzman J(2022)Enhancing Web Authentication Security Using Random ForestTENCON 2022 - 2022 IEEE Region 10 Conference (TENCON)10.1109/TENCON55691.2022.9978128(1-6)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TENCON55691.2022.9978128
Show More Cited By

Index Terms

Sessionlock: securing web sessions against eavesdropping
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security

A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
Client-side cross-site scripting protection

Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '08: Proceedings of the 17th international conference on World Wide Web

April 2008

1326 pages

ISBN:9781605580852

DOI:10.1145/1367497

General Chairs:
Jinpeng Huai
Beihang University, China
,
Robin Chen
AT&T Labs, USA
,
Hsiao-Wuen Hon
Microsoft Research Asia, China
,
Yunhao Liu
HK University of Science and Technology, Hong Kong
,
Program Chairs:
Wei-Ying Ma
Microsoft Research Asia, China
,
Andrew Tomkins
Yahoo! Research, USA
,
Xiaodong Zhang
The Ohio State University, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACM: Association for Computing Machinery

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tag

web security

Qualifiers

Research-article

Conference

WWW '08

Sponsor:

ACM

WWW '08: The 17th International World Wide Web Conference

April 21 - 25, 2008

Beijing, China

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

37
Total Citations
View Citations
923
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Altulaihan EAlismail AFrikha M(2023)A Survey on Web Application Penetration TestingElectronics10.3390/electronics1205122912:5(1229)Online publication date: 4-Mar-2023
https://doi.org/10.3390/electronics12051229
Ali YAhmed ODiab MSayed MAbd Elaziz MAboshosha B(2023)Blockchain-Based Online E-voting System2023 International Conference on Smart Computing and Application (ICSCA)10.1109/ICSCA57840.2023.10087767(1-8)Online publication date: 5-Feb-2023
https://doi.org/10.1109/ICSCA57840.2023.10087767
Belen ARigor TOng Dde Guzman J(2022)Enhancing Web Authentication Security Using Random ForestTENCON 2022 - 2022 IEEE Region 10 Conference (TENCON)10.1109/TENCON55691.2022.9978128(1-6)Online publication date: 1-Nov-2022
https://doi.org/10.1109/TENCON55691.2022.9978128
Sarika S(2022)An Approach to Perceive Session Hijacking in IoT Health CareInformation and Communication Technology for Competitive Strategies (ICTCS 2021)10.1007/978-981-19-0098-3_51(525-533)Online publication date: 10-Jun-2022
https://doi.org/10.1007/978-981-19-0098-3_51
Fredj OCheikhrouhou OKrichen MHamam HDerhab A(2021)An OWASP Top Ten Driven Survey on Web Application Protection MethodsRisks and Security of Internet and Systems10.1007/978-3-030-68887-5_14(235-252)Online publication date: 12-Feb-2021
https://doi.org/10.1007/978-3-030-68887-5_14
Drakonakis KIoannidis SPolakis JLigatti JOu XKatz JVigna G(2020)The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization FlawsProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417869(1953-1970)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417869
Muaz MIslam KRahman M(2020)Security Analysis of a Truck Hiring Application in Bangladesh2020 IEEE Region 10 Symposium (TENSYMP)10.1109/TENSYMP50017.2020.9230853(1672-1675)Online publication date: 5-Jun-2020
https://doi.org/10.1109/TENSYMP50017.2020.9230853
Hong S(2019)P2P networking based internet of things (IoT) sensor node authentication by BlockchainPeer-to-Peer Networking and Applications10.1007/s12083-019-00739-xOnline publication date: 9-Sep-2019
https://doi.org/10.1007/s12083-019-00739-x
He JHan DLi K(2019)On one-time cookies protocol based on one-time passwordSoft Computing10.1007/s00500-019-04138-5Online publication date: 20-Jun-2019
https://doi.org/10.1007/s00500-019-04138-5
Calzavara SRabitti ABugliesi M(2018)Sub-session hijacking on the web: Root causes and preventionJournal of Computer Security10.3233/JCS-181149(1-25)Online publication date: 23-Oct-2018
https://doi.org/10.3233/JCS-181149
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents