Web

MITIGATING THREATS AGAINST WEB SESSIONS

CLIENT-SIDE WEB SECURITY

The Web has become an intrinsic part of our modern society, but unfortunately, so have security incidents. In recent years, these incidents are even being covered in mainstream media, strongly highlighting the need for effective security measures. This dissertation focuses on client-side mitigation techniques and investigates the question of whether client-side mitigation techniques can be used to effectively secure a session between the browser and a Web application.

As the Web has claimed a prominent place in our society and in our daily lives, Web security has become more important than ever, illustrated by the mainstream media coverage of serious Web security incidents. Over the last years, the center of gravity of the Web has shifted towards the client, where the browser has become a full-fledged execution platform for highly dynamic, complex Web applications. Unfortunately, with the rising importance of the client-side execution context, attackers also shifted their focus towards browser-based attacks, and compromises of client devices. Naturally, when the attackers’ focus shifts towards the client, the countermeasures and security policies evolve as well, as illustrated by the numerous autonomous client-side security solutions, and the recently introduced server-driven security policies, that are enforced within the browser.

Web applications to the contemporary client-side applications, that offer a different user experience. We explore the underlying concepts of such applications and illustrate several important attacks that can be executed from the client-side. Ultimately, the focus of this dissertation lies with the security of Web sessions and session management mechanisms, an essential feature of every modern Web application. Concretely, three autonomous clientside countermeasures that improve the security of currently deployed session management mechanisms. Each of these countermeasures is implemented as a browser add-on and is thoroughly evaluated. A fourth technical contribution consists of an alternative session management mechanism, that fundamentally eliminates common threats against Web sessions. A thorough evaluation of our prototype implementation shows the benefits of such an approach, as well as the compatibility with the current Web infrastructure. Finally, we report on our experience with developing client-side countermeasures, both during the inception phase, often backed by theoretical approaches, including formal modeling and rigorous security analyses, and during the development phase, resulting in practically deployable solutions, for example as a browser add-on.

SOME BASIC CALLS

ABE Application Boundaries Enforcer

ACM Association for Computing Machinery

AJAX Asynchronous JavaScript and XML

API Application Programming Interface

ARP Address Resolution Protocol

CA Certificate Authority

CORS Cross-Origin Resource Sharing

CSP Content Security Policy

CSRF Cross-Site Request Forgery

CSS Cascading Style Sheets

DANE DNS-based Authentication of Named Entities

DNS Domain Name System

DNSSEC Domain Name System Security Extensions

DOM Document Object Model

DVD Digital Video Disc

FTP File Transfer Protocol

GIF Graphics Interchange Format

HMAC Hash-based Message Authentication Code

HSTS HTTP Strict Transport Security

HTML HyperText Markup Language

HTTP HyperText Transfer Protocol

HTTPS HyperText Transfer Protocol Secure

ID Identifier

IEEE Institute of Electrical and Electronics Engineers

IETF Internet Engineering Task Force

IFIP International Federation for Information Processing

IP Internet Protocol

IT Information Technology

JS JavaScript

JSON JavaScript Object Notation

KU Leuven Katholieke Universiteit Leuven

OS Operating System

OWASP Open Web Application Security Project

PDF Portable Document Format

PFS Perfect Forward Secrecy

PHP HyperText Preprocessor

PKI Public Key Infrastructure

RFC Request for Comments

SID Session Identifier

SLA Service Level Agreement

SOP Same-Origin Policy

SQL Structured Query Language

SSL Secure Sockets Layer

STREWS Strategic Research Roadmap for European Web Security

TLS Transport Layer Security

UI User Interface

URI Uniform Resource Identifier

URL Uniform Resource Locator

VM Virtual Machine

WPA Wi-Fi Protected Access

XML Extensible Markup Language

XSS Cross-Site Scripting

WEB SCALES

Google, LinkedIn, Adobe, Yahoo, eBay, Nintendo, LastPass, Vodafone, Target, Reuters. There may not seem to be an apparent commonality between these companies, but they have all been victims of Web-based attacks, resulting in the compromise of customer accounts, the large-scale theft of customer information, or embarrassing defacements of their Web sites. The list includes ten prominent companies, that are well aware of the dangers of the Web, and they are only the tip of the iceberg. A report about Web security in 2013 lists 253 data breaches, good for exposing a total of 552 million identities, and reports an astonishing 568,700 Web attacks blocked per day. Statistics show that cybercrime makes 378 million victims per year or 12 victims per second. Even though financial numbers on cybercrime-induced losses are very unreliable, Symantec estimates the direct global losses caused by cybercrime at $113 billion in a single year, enough to host the London Olympics about 10 times over.

The adverse effects of these Web attacks are often underestimated, both for companies and for individuals. Companies that have become victims of a data breach or defacement not only suffer from business disruptions but also face investigations and potential lawsuits. Additionally, the ensuing reputation damage can cause long-term harmful effects, with customers leaving and shareholders losing confidence. Even worse, a continuous stream of security breaches can cause a loss of confidence in online services among the general population, severely hurting the online retail economy, e-government, and e-health services. A 2013 survey reports that 70% of surveyed Internet users are concerned that their personal information is not kept secure by Web sites, resulting in adapted behavior, as 34% of the users is less likely to give personal information on Web sites. And indeed, security breaches cause significant collateral damage to individual users. For example, a stolen database of personal information often contains users’ email addresses, and maybe even recoverable passwords. If the same credentials are used for the email account, the user can lose control over this account, as well as overall accounts that are associated with that email address. Even worse, the stolen information can be used to commit identity theft, resulting in fraudulent costs being attributed to the victim, instead of the perpetrator.

In other cases, the Web attack is only used as a stepping stone towards the compromise of a larger target. For example, Belgacom, a Belgian telco also running infrastructure in Africa, was targeted by the One intelligence service through a Web attack. The attackers faked a social network application to serve malware to a Belgacom engineer, allowing the attackers to further infiltrate the Belgacom infrastructure. Another example is the 2010 compromise of apache.org, where a number of Web vulnerabilities eventually led to the compromise of the machine holding the code repositories. With cybercrime as a billion-dollar business, the Web is in a dire situation. Web security is more important than ever, today and in the future. Before we start discussing attackers, problems, and their countermeasures, we take a closer look at how the Web came to be the way it is today, and why client-side Web security, the main focus of this dissertation, has become so popular.

President

The divine scriptures are God’s beacons to the world. Surely God offered His trust to the heavens and the earth, and the hills, but they shrank from bearing it and were afraid of it. And man undertook it.
Back to top button