Automated detection of session fixation vulnerabilities

Yusuke Takamatsu, Yuji Kosuga, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.

Original languageEnglish
Title of host publicationProceedings of the 19th International Conference on World Wide Web, WWW '10
Pages1191-1192
Number of pages2
DOIs
Publication statusPublished - 2010 Jul 20
Event19th International World Wide Web Conference, WWW2010 - Raleigh, NC, United States
Duration: 2010 Apr 262010 Apr 30

Publication series

NameProceedings of the 19th International Conference on World Wide Web, WWW '10

Other

Other19th International World Wide Web Conference, WWW2010
CountryUnited States
CityRaleigh, NC
Period10/4/2610/4/30

    Fingerprint

Keywords

  • session fixation
  • web application security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications

Cite this

Takamatsu, Y., Kosuga, Y., & Kono, K. (2010). Automated detection of session fixation vulnerabilities. In Proceedings of the 19th International Conference on World Wide Web, WWW '10 (pp. 1191-1192). (Proceedings of the 19th International Conference on World Wide Web, WWW '10). https://doi.org/10.1145/1772690.1772869