The state of practice in defending against common client-side attacks is less than stellar. Only 34% of the top 10-million sites use a valid TLS certificate, and the SSL Pulse project shows that many TLS deployments are suboptimal. Additionally, the adoption of straightforward, low-impact countermeasures, such as the HttpOnly cookie attribute, is slow, and the exploitation of CSRF and XSS attacks is rampant, even on major, security-conscious sites. Finally, users are frequently targeted by social engineering attacks, of which phishing remains the most common attack vector.
The whole Web session concept and supporting session management mechanisms, crucial building blocks of practically every Web application, are exceptionally vulnerable to these kinds of attacks. Attacks such as session hijacking and session fixation, which use eavesdropping or cross-site scripting as attack vectors, directly target the session management mechanism. Other attacks, such as cross-site request forgery or UI redressing attempt to manipulate the user’s session by carrying out additional actions in the user’s name. Finally, social engineering attacks towards the user divulge the user’s credentials to the attacker, allowing the attacker to fully impersonate the user towards a Web application by establishing an authenticated session. Many of the attacks presented in the previous section target Web sessions and session management mechanisms in one way or another. At the roots of these attacks lie three concrete threats against Web sessions and session management mechanisms.
VIOLATING SESSION INTEGRITY
The first threat is the violation of the integrity of a session, as encountered in other papers, where an attacker is able to manipulate the session state. For example, if an attacker can remove requests from a session, or insert requests into the session, the integrity of the session is compromised. Note that the attacker is not assumed to have full control over the session, which would allow a transfer to another machine or browser, which is a significantly more powerful attack, as will become clear in the next threat.
A first attack that violates the integrity of the session is cross-site request forgery (CSRF), where an attacker tricks the user’s browser to send requests to the target application, which interprets these requests as legitimate. A second attack is UI redressing, where the user is tricked into interacting with a seemingly innocuous page, while in fact, he is interacting with a hidden page of the target application. In a third attack scenario, an attacker is able to take control of the client-side execution context, for example through a cross-site scripting (XSS) attack, allowing him to send arbitrary requests to the application’s origin. Note that the main difference between a cross-site scripting attack and a cross-site request forgery (CSRF) attack is the level of control over the origin of the target application since, in a CSRF attack, the attacker mainly controls his own origin, and not that of the application under attack.
UNAUTHORIZED TRANSFER OF A SESSION
The second threat to the security of Web sessions is the unauthorized transfer of a session, essentially allowing an attacker to take control over the user’s session. If an attacker succeeds in taking over a user’s session, he can impersonate the user towards the target application, giving the attacker the same privileges as the user. While this threat is more powerful than violating the integrity of a session, the attacker is still bound within this single session, losing his access when the session is terminated, or when a re-authentication is required by the target application.
The most common way to perform an unauthorized session transfer is a session hijacking attack, by simply stealing the session identifier. Because this session identifier acts as a bearer token, the attacker can successfully impersonate the user towards the target application. A second attack session fixation, has the same result as a session hijacking attack, but is technically more complicated to carry out. In a session fixation attack, the attacker first establishes a session with the target application, and subsequently transfers this session to the user’s browser, causing the user’s actions to be carried out within the attacker’s session.
When the user authenticates himself within this session, the attacker gains access to the user’s authenticated session, giving him the same privileges as the user. Improving session management in the Web is an active research topic, and many proposals effectively mitigate the unauthorized transfer of a session, albeit without explicitly naming the security property. One paper that investigates security challenges when two applications are hosted on a sibling domain defines a violation of session confidentiality as the attacker learning the session identifier, and session integrity as the attacker being able to modify the session identifier, which respectively corresponds to a session hijacking and session fixation attack. Even though these definitions are explicitly tailored towards session management mechanisms that use bearer tokens, our more generic definition of the threat inherently subsumes these bearer token-based definitions.
IMPERSONATING THE USER BY ESTABLISHING A SESSION
A third threat to the security of a session is even more powerful and allows an attacker to establish a new session in the user’s name. In such an attack, the attacker can fully impersonate the user, bypassing all re-authentication checks that are based on the credentials used to establish the session. Note that this attack can escalate towards other applications as well, either because of shared credentials between multiple applications or because of the use of the compromised application to gain access to another application. A common example of the latter is an attacker controlling a mail account, which is in turn used to reset the password of other accounts.
The most common example of establishing a session in the user’s name is the use of stolen credentials, which can be obtained in various ways. Server-side compromises, resulting in the theft of a database with user information, are extremely common. Client-side examples of potential attacks are generally based on social engineering, where the user is tricked into divulging sensitive information. The most common attack vector for social engineering is phishing in all its variations, such as large-scale email campaigns or targeted spear-phishing, but also alternative attacks such as tab-nabbing. Note that social engineering attacks, and especially phishing attacks, are very powerful when launched from within the right context. One recent example is the use of a cross-site scripting vulnerability in the targeted application to redirect the user to a legitimate-looking but fraudulent login page. As this conforms with the expected flow of events, this attack is unlikely to be detected by a run-of-the-mill Web user.
Each of these threats against Web sessions targets a different aspect of the session and is enabled by different attacks. Each of these attacks is in turn enabled by specific threat models, which depend on different technologies or design properties of the Web. Unfortunately, there is no silver-bullet approach that would fix all session problems at once, not even when the entire session management mechanism is replaced by an alternative approach. Within this dissertation, we have consistently improved the security of Web sessions and session management mechanisms, either from within the browser as an autonomous client-side mitigation technique or by proposing an alternative, secure-by-design solution.
CsFire is a client-side mitigation technique against CSRF attacks, which violate the session integrity. CsFire prevents cross-origin requests, the kind of requests that are used in a CSRF attack, from being associated with an existing session, thereby preventing the action from being carried out in the user’s name. The second threat, unauthorized transfer of a session, is enabled by the lax security properties of the session identifier, which acts as a bearer token in currently deployed session management mechanisms. Serene mitigates several attack vectors of a session fixation attack from within the browser. Unfortunately, bearer-token-based session management systems are inherently insecure, and cannot be completely fixed by applying patches. Therefore, we propose SecSess, an alternative session management mechanism, which no longer depends on a bearer token, and effectively mitigates the unauthorized transfer of a session after establishment. The third threat, impersonating the user by establishing a session, is enabled by the theft of credentials, for example through social engineering. TabShots is a detection mechanism for tab-nabbing attacks, a sneaky variation on traditional phishing attacks. By detecting such attacks, and highlighting potentially fraudulent forms, TabShots effectively helps prevent the theft of credentials autonomously from within the browser.