Automated detection of session management vulnerabilities in web applications

Yusuke Takamatsu, Yuji Kosuga, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge on the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to only enter a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge on the web application. Our experiments demonstrated that our technique could detect vulnerabilities in five web applications deployed in the real world.

Original languageEnglish
Title of host publication2012 10th Annual International Conference on Privacy, Security and Trust, PST 2012
Pages112-119
Number of pages8
DOIs
Publication statusPublished - 2012 Nov 6
Event2012 10th Annual International Conference on Privacy, Security and Trust, PST 2012 - Paris, France
Duration: 2012 Jul 162012 Jul 18

Publication series

Name2012 10th Annual International Conference on Privacy, Security and Trust, PST 2012

Other

Other2012 10th Annual International Conference on Privacy, Security and Trust, PST 2012
CountryFrance
CityParis
Period12/7/1612/7/18

ASJC Scopus subject areas

  • Artificial Intelligence
  • Computer Graphics and Computer-Aided Design
  • Hardware and Architecture

Fingerprint Dive into the research topics of 'Automated detection of session management vulnerabilities in web applications'. Together they form a unique fingerprint.

  • Cite this

    Takamatsu, Y., Kosuga, Y., & Kono, K. (2012). Automated detection of session management vulnerabilities in web applications. In 2012 10th Annual International Conference on Privacy, Security and Trust, PST 2012 (pp. 112-119). [6297927] (2012 10th Annual International Conference on Privacy, Security and Trust, PST 2012). https://doi.org/10.1109/PST.2012.6297927