TY - GEN
T1 - Automated detection of session fixation vulnerabilities
AU - Takamatsu, Yusuke
AU - Kosuga, Yuji
AU - Kono, Kenji
N1 - Copyright:
Copyright 2010 Elsevier B.V., All rights reserved.
PY - 2010
Y1 - 2010
N2 - Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.
AB - Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a technique to automatically detect session fixation vulnerabilities in web applications. Our technique uses attack simulator that executes a real session fixation attack and check whether it is successful or not. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application.
KW - session fixation
KW - web application security
UR - http://www.scopus.com/inward/record.url?scp=77954611830&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77954611830&partnerID=8YFLogxK
U2 - 10.1145/1772690.1772869
DO - 10.1145/1772690.1772869
M3 - Conference contribution
AN - SCOPUS:77954611830
SN - 9781605587998
T3 - Proceedings of the 19th International Conference on World Wide Web, WWW '10
SP - 1191
EP - 1192
BT - Proceedings of the 19th International Conference on World Wide Web, WWW '10
T2 - 19th International World Wide Web Conference, WWW2010
Y2 - 26 April 2010 through 30 April 2010
ER -