Automated detection of session fixation vulnerabilities

Yusuke Takamatsu; Yuji Kosuga; Kenji Kono

doi:10.1145/1772690.1772869

Automated detection of session fixation vulnerabilities

Yusuke Takamatsu, Yuji Kosuga, Kenji Kono

Department of Information and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

5 Citations (Scopus)

Abstract

Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.

Original language	English
Title of host publication	Proceedings of the 19th International Conference on World Wide Web, WWW '10
Pages	1191-1192
Number of pages	2
DOIs	https://doi.org/10.1145/1772690.1772869
Publication status	Published - 2010 Jul 20
Event	19th International World Wide Web Conference, WWW2010 - Raleigh, NC, United States Duration: 2010 Apr 26 → 2010 Apr 30

Publication series

Name	Proceedings of the 19th International Conference on World Wide Web, WWW '10

Other

Other	19th International World Wide Web Conference, WWW2010
Country	United States
City	Raleigh, NC
Period	10/4/26 → 10/4/30

Fingerprint

Keywords

session fixation
web application security

ASJC Scopus subject areas

Computer Networks and Communications
Computer Science Applications

Cite this

Takamatsu, Y., Kosuga, Y., & Kono, K. (2010). Automated detection of session fixation vulnerabilities. In Proceedings of the 19th International Conference on World Wide Web, WWW '10 (pp. 1191-1192). (Proceedings of the 19th International Conference on World Wide Web, WWW '10). https://doi.org/10.1145/1772690.1772869

Takamatsu, Y, Kosuga, Y & Kono, K 2010, Automated detection of session fixation vulnerabilities. in Proceedings of the 19th International Conference on World Wide Web, WWW '10. Proceedings of the 19th International Conference on World Wide Web, WWW '10, pp. 1191-1192, 19th International World Wide Web Conference, WWW2010, Raleigh, NC, United States, 10/4/26. https://doi.org/10.1145/1772690.1772869

@inproceedings{0879d36b18e74897a4a2990e8f1c2fb0,

title = "Automated detection of session fixation vulnerabilities",

abstract = "Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.",

keywords = "session fixation, web application security",

author = "Yusuke Takamatsu and Yuji Kosuga and Kenji Kono",

year = "2010",

month = jul

day = "20",

doi = "10.1145/1772690.1772869",

language = "English",

isbn = "9781605587998",

series = "Proceedings of the 19th International Conference on World Wide Web, WWW '10",

pages = "1191--1192",

booktitle = "Proceedings of the 19th International Conference on World Wide Web, WWW '10",

note = "19th International World Wide Web Conference, WWW2010 ; Conference date: 26-04-2010 Through 30-04-2010",

}

TY - GEN

T1 - Automated detection of session fixation vulnerabilities

AU - Takamatsu, Yusuke

AU - Kosuga, Yuji

AU - Kono, Kenji

PY - 2010/7/20

Y1 - 2010/7/20

N2 - Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.

AB - Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.

KW - session fixation

KW - web application security

UR - http://www.scopus.com/inward/record.url?scp=77954611830&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77954611830&partnerID=8YFLogxK

U2 - 10.1145/1772690.1772869

DO - 10.1145/1772690.1772869

M3 - Conference contribution

AN - SCOPUS:77954611830

SN - 9781605587998

T3 - Proceedings of the 19th International Conference on World Wide Web, WWW '10

SP - 1191

EP - 1192

BT - Proceedings of the 19th International Conference on World Wide Web, WWW '10

T2 - 19th International World Wide Web Conference, WWW2010

Y2 - 26 April 2010 through 30 April 2010

ER -

Access to Document

10.1145/1772690.1772869