ABSTRACT
Web applications use authentication mechanisms to provide user-friendly content to users. However, some dangerous techniques like session fixation attacks target these mechanisms, by making the legitimate user use a session identifier that is controlled by the attacker. In this way, he can then impersonate the legitimate user without the need to know his credentials. In this paper, we present SAWFIX, a PHP static analyzer that checks web applications for session fixation vulnerabilities. To the best of our knowledge, SAWFIX is the first analyzer that checks exhaustively for this type of vulnerabilities, while the other methods only ensure partial correctness that is limited to a fraction of possible executions. SAWFIX is based on abstract interpretation, which is a theory for approximating the semantics of programs and allows designing static analyzers that are fully automatic and sound by construction. We implemented a prototype of our approach and tested it on several complex web applications. We obtained promising results in terms of detection accuracy and processing time, which reflects the efficiency of our system.
- IBM Security AppScan. http://www-03.ibm.com/software/products/en/appscan.Google Scholar
- P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proc. 4th ACM symposium on Principles of programming languages, pages 238--252. ACM, 1977. Google ScholarDigital Library
- P. De Ryck, N. Nikiforakis, L. Desmet, F. Piessens, and W. Joosen. Serene: self-reliant client-side protection against session fixation. In Proc. 12th IFIP WG 6.1 international conference on Distributed Applications and Interoperable Systems, DAIS'12, pages 59--72. Springer-Verlag, 2012. Google ScholarDigital Library
- M. Johns, B. Braun, M. Schrank, and J. Posegga. Reliable protection against session fixation attacks. In Proc. 2011 ACM Symposium on Applied Computing, SAC '11, pages 1531--1537. ACM, 2011. Google ScholarDigital Library
- Y. Takamatsu, Y. Kosuga, and K. Kono. Automated detection of session fixation vulnerabilities. In Proc. 19th international conference on World wide web, WWW '10, pages 1191--1192. ACM, 2010. Google ScholarDigital Library
Index Terms
- Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications
Recommendations
Automated detection of session fixation vulnerabilities
WWW '10: Proceedings of the 19th international conference on World wide webSession fixation is a technique for obtaining the visitor's session identifier (SID) by forcing the visitor to use the SID supplied by the attacker. The attacker who obtains the victim's SID can masquerade as the visitor. In this paper, we propose a ...
Static analysis for detecting taint-style vulnerabilities in web applications
The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Securing web applications from injection and logic vulnerabilities
Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Comments