While session fixation attacks also rank highly in the OWASP Top 10 and the CWE/SANS Top 25, they are often underestimated. Typical defenses against session fixation are deployed at the server-side and depend on the cooperation of the developer. Serene is the first client-side mitigation technique against session fixation attacks and works both for cookie-based and parameter-based session management systems. Serene’s main challenge lies in both maximizing the scope of its protection and minimizing its interference with Web applications.
Serene’s design consists of two main components, a heuristic algorithm to identify the session identifiers in a set of cookies or parameters, and the protection mechanism that effectively prevents the fixation of a session identifier by an attacker. This design enables the maintaining of a high degree of compatibility, even in the future Web, as the heuristics algorithm most likely requires finetuning as the Web further evolves. Follow-up research focuses exactly on the identification of session identifiers and proposes a semi-automatic machine learning technique to construct a so-called Golden Set for 70 popular Web applications. Such a golden set defines the set of cookies that serve as the actual authentication token. Based on these golden sets, the authors evaluated several mitigation techniques that depend on the detection of session identifiers, including Serene and SessionShield, which served as an inspiration for Serene. Their results show that Serene’s heuristic algorithm improves SessionShield’s false positive rate from 105 to 37 out of 327 cookies. However, Serene incurs a larger false-negative rate compared to SessionShield (55 to 8 out of 103).
In hindsight, we can conclude that Serene’s heuristic algorithm causes little compatibility issues, but can still be improved to cover more cookies that are part of the authentication token, a need we already correctly assessed, and remains a major challenge in the modern Web. The golden sets are extremely valuable in showing the complexity of authentication tokens. They aptly highlight the difficulty to establish the exact composition of an authentication token from the client-side, which still requires the need to resort to manual or semi-manual processes requiring a significant amount of human investment. Hopefully, future work will either bring a fully automated detection mechanism for authentication tokens, albeit that a server-driven policy to mark certain tokens as authentication tokens may be more feasible.
SERENE: SELF-RELIANT CLIENT-SIDE PROTECTION AGAINST SESSION FIXATION
The Web is the most widespread and de facto distributed platform, with a plethora of valuable applications and services. Building stateful services on the Web requires a session mechanism that keeps track of server-side session states, such as authentication data. These sessions are an attractive attacker target, since taking over an authenticated session fully compromises the user’s account. This chapter focuses on session fixation, where an attacker forces the user to use the attacker’s session, allowing the attacker to take over the session after authentication.
Serene, a self-reliant client-side countermeasure that protects the user from session fixation attacks, regardless of the security provisions – or lack thereof – of a Web application. By specifically protecting session identifiers from fixation and not interfering with other cookies or parameters, Serene is able to autonomously protect a large majority of Web applications, without being disruptive towards legitimate functionality. We experimentally validate these claims with a large-scale study of Alexa’s top one million sites, illustrating both Serene’s large coverage (83.43%) and compatibility (95.55%).
In the past few years, the security community has witnessed a shift in attacks originating from malicious individuals and the organized criminal underground. Attacks usually targeting the server-side of the Internet (e.g. Web, Mail, and FTP servers) are now conducted on the client-side, targeting the site, the user’s browser, or even the user himself. This phenomenon can be ascribed to the enormous expansion of Web sites and Web applications, which currently almost monopolize a user’s online activities. A substantial fraction of these attacks target a Web application’s session management, the cornerstone of any stateful Web application. Session management enables building stateful applications on top of a stateless protocol (HTTP), by grouping multiple related requests together into a session. Each session is assigned a unique identifier and can keep track of session-specific data, such as preferences, user information, or authentication state. Sessions are typically maintained by cookies, part of the HTTP headers, or parameters, embedded in the content.
One well-known session attack is session fixation. In a session fixation attack, the attacker establishes a session between him and the target application and subsequently forces this session into the user’s browser. Any action taken by the user within the application is associated with the user’s session, which is, in this case, identical to the attacker’s session. For example, if the user authenticates herself to the application, the session remembers the user’s information and authentication state. In case of a session fixation attack, the attacker shares the same session, allowing him to perform actions in the user’s name. Session fixation is ranked third in the OWASP top 10 of Web application security risks and is assigned a prevalence of common.
An adequate, widely available by-design mitigation technique for session fixation is to issue a new (thus non-fixated) session identifier whenever the privilege level of a user changes, for example from unauthenticated to authenticated. Unfortunately, studies have shown that security guidelines are not applied as widespread as one would hope or expect, thus leaving the user vulnerable to potential session fixation attacks. Serene, a self-reliant client-side countermeasure against session fixation attacks. Serene is compatible with applications using both cookie-based and/or parameter-based session management. The main idea behind Serene is to prevent the browser from sending fixated session identifiers through cookies and to prevent the use of fixated session identifiers through parameters embedded in the pages’ contents. To distinguish session identifiers from other cookies or parameters, we present an elementary algorithm that supports a large majority of sites but still maintains a very low false-positive rate. To validate our identification algorithm and test our prototype implementation, we conducted a large-scale study of Alexa’s top one million sites, showing both the wide range of support and the compatibility of Serene.