Title: Serene: Self-reliant client-side protection against session fixation
Authors: De Ryck, Philippe
Nikiforakis, Nick
Desmet, Lieven
Piessens, Frank
Joosen, Wouter #
Issue Date: Jun-2012
Publisher: Springer-Verlag
Host Document: 12th IFIP International Conference on Distributed Applications and Interoperable Systems pages:59-72
Series Title: IFIP-LNCS
Conference: DAIS edition:12 location:Stockholm, Sweden date:13-15 June 2012
Abstract: The web is the most wide-spread and de facto distributed platform, with a plethora of valuable applications and services. Building stateful services on the web requires a session mechanism that keeps track of server-side session state, such as authentication data. These sessions are an attractive attacker target, since taking over an authenticated ses- sion fully compromises the user’s account. This paper focuses on session fixation, where an attacker forces the user to use the attacker’s session, allowing the attacker to take over the session after authentication.

We present Serene, a self-reliant client-side countermeasure that pro- tects the user from session fixation attacks, regardless of the security provisions – or lack thereof – of a web application. By specifically pro- tecting session identifiers from fixation and not interfering with other cookies or parameters, Serene is able to autonomously protect a large majority of web applications, without being disruptive towards legiti- mate functionality. We experimentally validate these claims with a large scale study of Alexa’s top one million sites, illustrating both Serene’s large coverage (83.43%) and compatibility (95.55%).
Publication status: published
KU Leuven publication type: IC
Appears in Collections:Informatics Section
# (joint) last author

Files in This Item:
File Description Status SizeFormat
paper.pdf Published 335KbAdobe PDFView/Open


All items in Lirias are protected by copyright, with all rights reserved.