poster

Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications

Authors:
Abdelouahab Amira

Research Center on Scientific and Technical Information CERIST & A.MIRA University, Algiers, Algeria

Research Center on Scientific and Technical Information CERIST & A.MIRA University, Algiers, Algeria
View Profile

,
Abdelraouf Ouadjaout

LIP6, University Pierre and Marie Curie, Paris, France

LIP6, University Pierre and Marie Curie, Paris, France
View Profile

,
Abdelouahid Derhab

King Saud University, Riyadh, Saudi Arabia

King Saud University, Riyadh, Saudi Arabia
View Profile

,
Nadjib Badache

Centre de recherche sur l'information scientifique et technique (CERIST), Algiers, Algeria

Centre de recherche sur l'information scientifique et technique (CERIST), Algiers, Algeria
View Profile

CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and PrivacyMarch 2017Pages 139–141https://doi.org/10.1145/3029806.3029838

Published:22 March 2017Publication History

CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

Pages 139–141

ABSTRACT

Web applications use authentication mechanisms to provide user-friendly content to users. However, some dangerous techniques like session fixation attacks target these mechanisms, by making the legitimate user use a session identifier that is controlled by the attacker. In this way, he can then impersonate the legitimate user without the need to know his credentials. In this paper, we present SAWFIX, a PHP static analyzer that checks web applications for session fixation vulnerabilities. To the best of our knowledge, SAWFIX is the first analyzer that checks exhaustively for this type of vulnerabilities, while the other methods only ensure partial correctness that is limited to a fraction of possible executions. SAWFIX is based on abstract interpretation, which is a theory for approximating the semantics of programs and allows designing static analyzers that are fully automatic and sound by construction. We implemented a prototype of our approach and tested it on several complex web applications. We obtained promising results in terms of detection accuracy and processing time, which reflects the efficiency of our system.

References

IBM Security AppScan. http://www-03.ibm.com/software/products/en/appscan.Google Scholar
P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proc. 4th ACM symposium on Principles of programming languages, pages 238--252. ACM, 1977. Google ScholarDigital Library
P. De Ryck, N. Nikiforakis, L. Desmet, F. Piessens, and W. Joosen. Serene: self-reliant client-side protection against session fixation. In Proc. 12th IFIP WG 6.1 international conference on Distributed Applications and Interoperable Systems, DAIS'12, pages 59--72. Springer-Verlag, 2012. Google ScholarDigital Library
M. Johns, B. Braun, M. Schrank, and J. Posegga. Reliable protection against session fixation attacks. In Proc. 2011 ACM Symposium on Applied Computing, SAC '11, pages 1531--1537. ACM, 2011. Google ScholarDigital Library
Y. Takamatsu, Y. Kosuga, and K. Kono. Automated detection of session fixation vulnerabilities. In Proc. 19th international conference on World wide web, WWW '10, pages 1191--1192. ACM, 2010. Google ScholarDigital Library

Index Terms

Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications
1. Security and privacy

Recommendations

Automated detection of session fixation vulnerabilities
WWW '10: Proceedings of the 19th international conference on World wide web

Session fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a ...
Read More
Static analysis for detecting taint-style vulnerabilities in web applications

The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Read More
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy
March 2017
382 pages
ISBN:9781450345231
DOI:10.1145/3029806
General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Alexander Pretschner
Technische Universität München, Germany
,
Gabriel Ghinita
University of Massachusetts Boston, USA
Copyright © 2017 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 March 2017
Check for updates
Author Tags
abstract interpretation
session fixation attacks
static program analysis
web application security
Qualifiers
- poster
Conference

Acceptance Rates
CODASPY '17 Paper Acceptance Rate21of134submissions,16%Overall Acceptance Rate149of789submissions,19%
More
Upcoming Conference
CODASPY '24

Sponsor:

sigsac

Fourteenth ACM Conference on Data and Application Security and Privacy

June 19 - 21, 2024

Porto , Portugal
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 165
  Total Downloads
- Downloads (Last 12 months)11
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications

CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

ABSTRACT

References

Cited By

Index Terms

Recommendations

Automated detection of session fixation vulnerabilities

Static analysis for detecting taint-style vulnerabilities in web applications

Securing web applications from injection and logic vulnerabilities

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications

CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

ABSTRACT

References

Cited By

Index Terms

Recommendations

Automated detection of session fixation vulnerabilities

Static analysis for detecting taint-style vulnerabilities in web applications

Securing web applications from injection and logic vulnerabilities

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media