Besides a broad overview of client-side Web security, this dissertation makes several contributions towards improving the security of Web sessions and session management systems, with a strong focus on autonomous client-side mechanisms, that protect the user without the cooperation of the vulnerable Web applications. Several attacks impact the client-side security, providing a detailed description of the attack, an overview of available mitigation techniques, state-of-the-art research, and the current state of practice as observed on the Web.
These four technical contributions each counter a specific threat against session management in Web applications. Implementations of each of these contributions illustrate the practical applicability, either as a mature product or as a proof-of-concept prototype.
- CsFire is a browser add-on that protects against cross-site request forgery (CSRF) attacks. CsFire autonomously decides when a cross-origin request is considered to be potentially harmful, and strips the cookies from these requests, rendering them harmless. The effectiveness of CsFire’s request filtering algorithm, and the associated trusted delegation assumption, is formally verified using the bounded model checker Alloy. Further, CsFire is publicly available for the Firefox and Chrome browsers, and has thousands of unique daily users.
- Serene is the first client-side mitigation technique against session fixation attacks, which give the attacker control over the user’s authenticated session. Serene is capable of protecting both cookie-based and parameterbased session management mechanisms. Serene is implemented as a browser add-on, and its effectiveness and compatibility evaluated on the Alexa top 1,000,000 sites.
- SecSess fundamentally improves the security of Web sessions, as it upgrades the HTTP session management mechanism to prevent unauthorized transfering of the session. We have implemented the client-side part of SecSess as a browser add-on, and the server-side as a middleware for the Express framework on top of NodeJS. SecSess is fully compatible with current deployment scenarios on the Web, including the use of middleboxes throughout the network path, such as Web caches and perimeter security devices.
- TabShots is a browser add-on that detects tabnabbing attacks, a special variation of a phishing attack. TabShots visually compares screenshots of a browser tab, in order to detect potentially harmful changes. The detected changes are highlighted, thereby alerting the user when he wants to enter authentication credentials in a fraudulent form loaded by a tabnabbing attack.
Based on our experience gained during the inception and development of these practical countermeasures, the use of client-side mitigation techniques by exploring the following:
- Experience Report on Client-side Mitigations. Based on our experience with developing client-side mitigation techniques, we provide insights in the different implementation strategies, with their advantages and disadvantages.Browser add-ons, the preferred implementation strategy used throughout this dissertation, and the challenges we encountered during the evaluation of our prototypes.
- Research Challenges and Trends. We identify several research challenges that lie on the road ahead, and look into trends that can be observed in the current state-of-practice. Concretely, we elaborate on the importance of theoretical approaches towards Web security, the relevance of upcoming state-of-practice security policies that can be used as a second line of defense, and the rise of Web technologies as an essential building block of mobile apps.