Automated detection of session fixation vulnerabilities

Yusuke Takamatsu, Yuji Kosuga, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.

Original languageEnglish
Title of host publicationProceedings of the 19th International Conference on World Wide Web, WWW '10
Pages1191-1192
Number of pages2
DOIs
Publication statusPublished - 2010
Event19th International World Wide Web Conference, WWW2010 - Raleigh, NC, United States
Duration: 2010 Apr 262010 Apr 30

Other

Other19th International World Wide Web Conference, WWW2010
CountryUnited States
CityRaleigh, NC
Period10/4/2610/4/30

Fingerprint

Simulators
Experiments

Keywords

  • session fixation
  • web application security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications

Cite this

Takamatsu, Y., Kosuga, Y., & Kono, K. (2010). Automated detection of session fixation vulnerabilities. In Proceedings of the 19th International Conference on World Wide Web, WWW '10 (pp. 1191-1192) https://doi.org/10.1145/1772690.1772869

Automated detection of session fixation vulnerabilities. / Takamatsu, Yusuke; Kosuga, Yuji; Kono, Kenji.

Proceedings of the 19th International Conference on World Wide Web, WWW '10. 2010. p. 1191-1192.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Takamatsu, Y, Kosuga, Y & Kono, K 2010, Automated detection of session fixation vulnerabilities. in Proceedings of the 19th International Conference on World Wide Web, WWW '10. pp. 1191-1192, 19th International World Wide Web Conference, WWW2010, Raleigh, NC, United States, 10/4/26. https://doi.org/10.1145/1772690.1772869
Takamatsu Y, Kosuga Y, Kono K. Automated detection of session fixation vulnerabilities. In Proceedings of the 19th International Conference on World Wide Web, WWW '10. 2010. p. 1191-1192 https://doi.org/10.1145/1772690.1772869
Takamatsu, Yusuke ; Kosuga, Yuji ; Kono, Kenji. / Automated detection of session fixation vulnerabilities. Proceedings of the 19th International Conference on World Wide Web, WWW '10. 2010. pp. 1191-1192
@inproceedings{0879d36b18e74897a4a2990e8f1c2fb0,
title = "Automated detection of session fixation vulnerabilities",
abstract = "Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.",
keywords = "session fixation, web application security",
author = "Yusuke Takamatsu and Yuji Kosuga and Kenji Kono",
year = "2010",
doi = "10.1145/1772690.1772869",
language = "English",
isbn = "9781605587998",
pages = "1191--1192",
booktitle = "Proceedings of the 19th International Conference on World Wide Web, WWW '10",

}

TY - GEN

T1 - Automated detection of session fixation vulnerabilities

AU - Takamatsu, Yusuke

AU - Kosuga, Yuji

AU - Kono, Kenji

PY - 2010

Y1 - 2010

N2 - Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.

AB - Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.

KW - session fixation

KW - web application security

UR - http://www.scopus.com/inward/record.url?scp=77954611830&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77954611830&partnerID=8YFLogxK

U2 - 10.1145/1772690.1772869

DO - 10.1145/1772690.1772869

M3 - Conference contribution

AN - SCOPUS:77954611830

SN - 9781605587998

SP - 1191

EP - 1192

BT - Proceedings of the 19th International Conference on World Wide Web, WWW '10

ER -