Title: SessionShield: Lightweight protection against session hijacking
Authors: Nikiforakis, Nick
Meert, Wannes
Younan, Yves
Johns, Martin
Joosen, Wouter
Issue Date: Feb-2011
Publisher: Springer
Host Document: Third International Symposium, ESSoS 2011 vol:6542 pages:87-100
Conference: Engineering Secure Software and Systems edition:3 location:Madrid, Spain date:9-10 February 2011
Abstract: The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website's operator. In consequence, if the operator fails to address XSS, the application's users are defenseless against session hijacking attacks.

In this paper we present SessionShield, a lightweight client-side protection mechanism against session hijacking that allows users to protect themselves even if a vulnerable website's operator neglects to mitigate existing XSS problems. SessionShield is based on the observation that session identifier values are not used by legitimate
client-side scripts and, thus, need not to be available to the scripting languages running in the browser. Our system requires no training period and imposes negligible overhead to the browser, therefore, making it ideal for desktop and mobile systems.
ISBN: 978-3-642-19124-4
ISSN: 0302-9743
Publication status: published
KU Leuven publication type: IC
Appears in Collections:Informatics Section

Files in This Item:
File Description Status SizeFormat
sshield.pdfMain Paper Published 177KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.

© Web of science