Automatic and Robust Client-Side Protection for Cookie-Based Sessions

Session cookies constitute one of the main attack targets against client authentication on the Web. To counter that, modern web browsers implement native cookie protection mechanisms based on the Secure and HttpOnly flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the present paper we provide the first such result, with a mechanized proof of noninterference assessing the robustness of the Secure and HttpOnly cookie flags against both web and network attacks. We then develop CookiExt, a browser extension that provides client-side protection against session hijacking based on appropriate flagging of session cookies and automatic redirection over HTTPS for HTTP requests carrying such cookies. Our solution improves over existing client-side defenses by combining protection against both web and network attacks, while at the same time being designed so as to minimise its effects on the user's browsing experience.

[1]  Benjamin C. Pierce,et al.  Foundations of web script security , 2012 .

[2]  Úlfar Erlingsson,et al.  Engineering Secure Software and Systems , 2011, Lecture Notes in Computer Science.

[3]  Wouter Joosen,et al.  HProxy: Client-Side Detection of SSL Stripping Attacks , 2010, DIMVA.

[4]  F. Piessens,et al.  Requestrodeo: Client Side Protection against Session Riding , 2006 .

[5]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[6]  Wouter Joosen,et al.  Automatic and Precise Client-Side Protection against CSRF Attacks , 2011, ESORICS.

[7]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[8]  Wouter Joosen,et al.  SessionShield: Lightweight Protection against Session Hijacking , 2011, ESSoS.

[9]  Dominique Devriese,et al.  Reactive non-interference for a browser model , 2011, 2011 5th International Conference on Network and System Security.

[10]  Vijay Atluri,et al.  Computer Security – ESORICS 2011 , 2011, Lecture Notes in Computer Science.

[11]  Wouter Joosen,et al.  Serene: Self-Reliant Client-Side Protection against Session Fixation , 2012, DAIS.

[12]  William F. Friedman The index of coincidence and its applications in cryptanalysis , 1987 .

[13]  Patrick Traynor,et al.  One-time cookies: Preventing session hijacking attacks with stateless authentication tokens , 2012, TOIT.

[14]  Michele Bugliesi,et al.  Provably Sound Browser-Based Enforcement of Web Session Integrity , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[15]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[16]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[17]  Samuel T. King,et al.  Fortifying web-based applications automatically , 2011, CCS '11.

[18]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[19]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[20]  Mohamed G. Gouda,et al.  A secure cookie scheme , 2012, Comput. Networks.

[21]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[22]  Benjamin C. Pierce,et al.  Featherweight Firefox: Formalizing the Core of a Web Browser , 2010, WebApps.