Automatically Checking for Session Management Vulnerabilities in Web Applications
Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certa...
Gespeichert in:
| Veröffentlicht in: | Information and Media Technologies 2013, Vol.8(2), pp.594-604 |
|---|---|
| Hauptverfasser: | , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 604 |
|---|---|
| container_issue | 2 |
| container_start_page | 594 |
| container_title | Information and Media Technologies |
| container_volume | 8 |
| creator | Takamatsu, Yusuke Kosuga, Yuji Kono, Kenji |
| description | Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world. |
| doi_str_mv | 10.11185/imt.8.594 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_jstag</sourceid><recordid>TN_cdi_proquest_journals_1477988365</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>3184165181</sourcerecordid><originalsourceid>FETCH-LOGICAL-j2765-cc45b8bdbf64b3fd536e221747f5711a299198add619e3bc2fdfd550befc66ec3</originalsourceid><addsrcrecordid>eNo9kFtLxDAQhYMguKz74i8I-Ny1aZtL8WlZvMGKiLfHkKTT3dQ2rUn6sP_eiOLAMHD4OMM5CF2QfE0IEfTKDnEt1rSuTtCCCEGyXNTsDK1C6PKf4TnhfIGeN3McBxWtUX1_xNsDmE_r9rgdPX6BEOzo8KNyag8DuIjf596BV9r2NloI2Dr8ARpvpqlPDjHR4RydtqoPsPq7S_R2e_O6vc92T3cP280u6wrOaGZMRbXQjW5Zpcu2oSWDoiC84i3lhKiirkktVNMwUkOpTdE2CaK5htYwBqZcostf38mPXzOEKLtx9i69lKTivBaiZDRR179UF2IKISdvB-WPUvkUuQeZapJCFmlTVf-qOSgvwZXfenNm1w</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1477988365</pqid></control><display><type>article</type><title>Automatically Checking for Session Management Vulnerabilities in Web Applications</title><source>J-STAGE (Japan Science & Technology Information Aggregator, Electronic) Freely Available Titles - Japanese</source><source>EZB-FREE-00999 freely available EZB journals</source><creator>Takamatsu, Yusuke ; Kosuga, Yuji ; Kono, Kenji</creator><creatorcontrib>Takamatsu, Yusuke ; Kosuga, Yuji ; Kono, Kenji</creatorcontrib><description>Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world.</description><identifier>EISSN: 1881-0896</identifier><identifier>DOI: 10.11185/imt.8.594</identifier><language>eng</language><publisher>Tokyo: Information and Media Technologies Editorial Board</publisher><subject>cross site request forgery ; session fixation ; session management ; vulnerability ; web application security</subject><ispartof>Information and Media Technologies, 2013, Vol.8(2), pp.594-604</ispartof><rights>2013 Information Processing Society of Japan</rights><rights>Copyright Japan Science and Technology Agency 2013</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,780,784,1883,4024,27923,27924,27925</link.rule.ids></links><search><creatorcontrib>Takamatsu, Yusuke</creatorcontrib><creatorcontrib>Kosuga, Yuji</creatorcontrib><creatorcontrib>Kono, Kenji</creatorcontrib><title>Automatically Checking for Session Management Vulnerabilities in Web Applications</title><title>Information and Media Technologies</title><addtitle>IMT</addtitle><description>Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world.</description><subject>cross site request forgery</subject><subject>session fixation</subject><subject>session management</subject><subject>vulnerability</subject><subject>web application security</subject><issn>1881-0896</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2013</creationdate><recordtype>article</recordtype><recordid>eNo9kFtLxDAQhYMguKz74i8I-Ny1aZtL8WlZvMGKiLfHkKTT3dQ2rUn6sP_eiOLAMHD4OMM5CF2QfE0IEfTKDnEt1rSuTtCCCEGyXNTsDK1C6PKf4TnhfIGeN3McBxWtUX1_xNsDmE_r9rgdPX6BEOzo8KNyag8DuIjf596BV9r2NloI2Dr8ARpvpqlPDjHR4RydtqoPsPq7S_R2e_O6vc92T3cP280u6wrOaGZMRbXQjW5Zpcu2oSWDoiC84i3lhKiirkktVNMwUkOpTdE2CaK5htYwBqZcostf38mPXzOEKLtx9i69lKTivBaiZDRR179UF2IKISdvB-WPUvkUuQeZapJCFmlTVf-qOSgvwZXfenNm1w</recordid><startdate>2013</startdate><enddate>2013</enddate><creator>Takamatsu, Yusuke</creator><creator>Kosuga, Yuji</creator><creator>Kono, Kenji</creator><general>Information and Media Technologies Editorial Board</general><general>Japan Science and Technology Agency</general><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>2013</creationdate><title>Automatically Checking for Session Management Vulnerabilities in Web Applications</title><author>Takamatsu, Yusuke ; Kosuga, Yuji ; Kono, Kenji</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-j2765-cc45b8bdbf64b3fd536e221747f5711a299198add619e3bc2fdfd550befc66ec3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2013</creationdate><topic>cross site request forgery</topic><topic>session fixation</topic><topic>session management</topic><topic>vulnerability</topic><topic>web application security</topic><toplevel>online_resources</toplevel><creatorcontrib>Takamatsu, Yusuke</creatorcontrib><creatorcontrib>Kosuga, Yuji</creatorcontrib><creatorcontrib>Kono, Kenji</creatorcontrib><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Information and Media Technologies</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Takamatsu, Yusuke</au><au>Kosuga, Yuji</au><au>Kono, Kenji</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Automatically Checking for Session Management Vulnerabilities in Web Applications</atitle><jtitle>Information and Media Technologies</jtitle><addtitle>IMT</addtitle><date>2013</date><risdate>2013</risdate><volume>8</volume><issue>2</issue><spage>594</spage><epage>604</epage><pages>594-604</pages><eissn>1881-0896</eissn><abstract>Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world.</abstract><cop>Tokyo</cop><pub>Information and Media Technologies Editorial Board</pub><doi>10.11185/imt.8.594</doi><tpages>11</tpages><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | EISSN: 1881-0896 |
| ispartof | Information and Media Technologies, 2013, Vol.8(2), pp.594-604 |
| issn | 1881-0896 |
| language | eng |
| recordid | cdi_proquest_journals_1477988365 |
| source | J-STAGE (Japan Science & Technology Information Aggregator, Electronic) Freely Available Titles - Japanese; EZB-FREE-00999 freely available EZB journals |
| subjects | cross site request forgery session fixation session management vulnerability web application security |
| title | Automatically Checking for Session Management Vulnerabilities in Web Applications |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-03T01%3A24%3A01IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_jstag&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Automatically%20Checking%20for%20Session%20Management%20Vulnerabilities%20in%20Web%20Applications&rft.jtitle=Information%20and%20Media%20Technologies&rft.au=Takamatsu,%20Yusuke&rft.date=2013&rft.volume=8&rft.issue=2&rft.spage=594&rft.epage=604&rft.pages=594-604&rft.eissn=1881-0896&rft_id=info:doi/10.11185/imt.8.594&rft_dat=%3Cproquest_jstag%3E3184165181%3C/proquest_jstag%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=1477988365&rft_id=info:pmid/&rfr_iscdi=true |