Automatically checking for session management vulnerabilities in web applications

Yusuke Takamatsu, Yuji Kosuga, Kenji Kono

Research output: Contribution to journalArticle

Abstract

Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world.

Original languageEnglish
Pages (from-to)17-27
Number of pages11
JournalIPSJ Online Transactions
Volume6
Issue number1
DOIs
Publication statusPublished - 2013

Fingerprint

Experiments

Keywords

  • Cross site request forgery
  • Session fixation
  • Session management
  • Vulnerability
  • Web application security

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

Automatically checking for session management vulnerabilities in web applications. / Takamatsu, Yusuke; Kosuga, Yuji; Kono, Kenji.

In: IPSJ Online Transactions, Vol. 6, No. 1, 2013, p. 17-27.

Research output: Contribution to journalArticle

@article{08e93146f7e3481698cc627fc3cd15d7,
title = "Automatically checking for session management vulnerabilities in web applications",
abstract = "Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world.",
keywords = "Cross site request forgery, Session fixation, Session management, Vulnerability, Web application security",
author = "Yusuke Takamatsu and Yuji Kosuga and Kenji Kono",
year = "2013",
doi = "10.2197/ipsjtrans.6.17",
language = "English",
volume = "6",
pages = "17--27",
journal = "IPSJ Online Transactions",
issn = "1882-6660",
publisher = "Information Processing Society of Japan",
number = "1",

}

TY - JOUR

T1 - Automatically checking for session management vulnerabilities in web applications

AU - Takamatsu, Yusuke

AU - Kosuga, Yuji

AU - Kono, Kenji

PY - 2013

Y1 - 2013

N2 - Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world.

AB - Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world.

KW - Cross site request forgery

KW - Session fixation

KW - Session management

KW - Vulnerability

KW - Web application security

UR - http://www.scopus.com/inward/record.url?scp=84880626259&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84880626259&partnerID=8YFLogxK

U2 - 10.2197/ipsjtrans.6.17

DO - 10.2197/ipsjtrans.6.17

M3 - Article

AN - SCOPUS:84880626259

VL - 6

SP - 17

EP - 27

JO - IPSJ Online Transactions

JF - IPSJ Online Transactions

SN - 1882-6660

IS - 1

ER -