research-article

LogSec: adaptive protection for the wild wild web

Authors:

Korbinian Pauli,

Joachim Posegga,

Martin JohnsAuthors Info & Claims

SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied Computing

Pages 2149 - 2156

https://doi.org/10.1145/2695664.2695709

Published: 13 April 2015 Publication History

Abstract

Today, a Web browser is a user's gateway to a multitude of Web applications, each with its own balance between confidentiality and integrity versus cross-application content sharing. Modern Web browsers apply the same permissive security policy to all content regardless of its demand for security -- a behavior that enables attacks such as cross-site request forgery (CSRF) or sidejacking. To defend against such attacks, existing countermeasures enforce overly strict policies, which expose incompatibilities with real-world Web applications. As a consequence, users get annoyed by malfunctions. In this paper, we show how browser behavior can be adapted based on the user's authentication status. The browser can enforce enhanced security policies, if necessary, and permit modern communication features, if possible. Our approach mitigates CSRF, session hijacking, sidejacking, and session fixation attacks. We present the implementation as a browser extension, named LogSec, that passively detects the user's authentication status without server-side support and is transparent for the user.

References

[1]

A. Barth. HTTP State Management Mechanism. RFC 6265, http://tools.ietf.org/html/rfc6265, 2011.

[2]

A. Barth, C. Jackson, and J. C. Mitchell. Robust Defenses for Cross-Site Request Forgery. In CCS, 2009.

Digital Library

[3]

A. Bortz, A. Barth, and A. Czeskis. Origin Cookies: Session Integrity for Web Applications. In W2SP, 2011.

[4]

M. Bugliesi, S. Calzavara, R. Focardi, W. Khan, and M. Tempesta. Provably Sound Browser-Based Enforcement of Web Session Integrity. In CSF, 2014.

Digital Library

[5]

E. Y. Chen, J. Bau, C. Reis, A. Barth, and C. Jackson. App Isolation: Get the Security of Multiple Browsers with Just One. In CCS, 2011.

Digital Library

[6]

R. S. Cox, J. G. Hansen, S. D. Gribble, and H. M. Levy. A safety-oriented platform for web applications. In IEEE S&P, 2006.

Digital Library

[7]

S. Crites, F. Hsu, and H. Chen. Omash: enabling secure web mashups via object abstractions. In CCS, 2008.

Digital Library

[8]

P. De Ryck, L. Desmet, W. Joosen, and F. Piessens. Automatic and precise client-side protection against csrf attacks. In ESORICS, 2011.

Digital Library

[9]

P. De Ryck, N. Nikiforakis, L. Desmet, F. Piessens, and W. Joosen. Serene: Self-reliant Client-side Protection against Session Fixation. In DAIS, 2012.

Digital Library

[10]

EFF. HTTPS Everywhere. {Browser Extension}, https://www.eff.org/https-everywhere.

[11]

J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, and L. Stewart. HTTP Authentication: Basic and Digest Access Authentication. RFC 2617, http://www.ietf.org/rfc/rfc2617.txt, 1999.

Digital Library

[12]

J. Hodges, C. Jackson, and A. Barth. HTTP Strict Transport Security (HSTS). RFC 6797, http://tools.ietf.org/html/rfc6797.

[13]

M. Johns, B. Braun, M. Schrank, and J. Posegga. Reliable Protection Against Session Fixation Attacks. In ACM SAC, 2011.

Digital Library

[14]

M. Johns and J. Winter. RequestRodeo: Client-side Protection against Session Riding. In OWASP Europe, 2006.

[15]

N. Jovanovic, C. Kruegel, and E. Kirda. Preventing Cross-Site Request Forgery Attacks. In Securecomm, 2006.

[16]

S. Lekies, N. Nikiforakis, W. Tighzert, F. Piessens, and M. Johns. DEMACRO: Defense against Malicious Cross-Domain Requests. In RAID, 2012.

Digital Library

[17]

M. Marlinspike. New Tricks For Defeating SSL In Practice. Talk at BlackHat '09, http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf.

[18]

MSDN. Mitigating Cross-site Scripting With HTTP-only Cookies. {online}, http://msdn.microsoft.com/en-us/library/ms533046(VS.85).aspx.

[19]

N. Nikiforakis, W. Meert, Y. Younan, M. Johns, and W. Joosen. SessionShield: Lightweight Protection against Session Hijacking. In ESSoS, 2011.

Digital Library

[20]

T. Oda, G. Wurster, P. C. van Oorschot, and A. Somayaji. SOMA: Mutual Approval for Included Content in Web Pages. In CCS, 2008.

Digital Library

[21]

U. Shankar and C. Karlof. Doppelganger: Better browser privacy without the bother. In CCS, 2006.

Digital Library

[22]

K. Singh, A. Moshchuk, H. J. Wang, and W. Lee. On the Incoherencies in Web Browser Access Control Policies. In IEEE S&P, 2010.

Digital Library

[23]

B. Sterne and A. Barth. Content Security Policy 1.0. {W3C}, http://www.w3.org/TR/CSP/.

[24]

S. Tang, N. Dautenhahn, and S. T. King. Fortifying web-based applications automatically. In CCS, 2011.

Digital Library

[25]

A. van Kesteren. Cross-Origin Resource Sharing. W3C Working Draft, http://www.w3.org/TR/cors/, April 2012.

[26]

H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. In SOSP, 2007.

Digital Library

[27]

H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal os construction of the gazelle web browser. In USENIX Security, 2009.

Digital Library

Cited By

Fredj OCheikhrouhou OKrichen MHamam HDerhab A(2020)An OWASP Top Ten Driven Survey on Web Application Protection MethodsRisks and Security of Internet and Systems10.1007/978-3-030-68887-5_14(235-252)Online publication date: 4-Nov-2020
https://dl.acm.org/doi/10.1007/978-3-030-68887-5_14

Index Terms

LogSec: adaptive protection for the wild wild web

Recommendations

Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security

A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
D-ward: source-end defense against distributed denial-of-service attacks
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied Computing

April 2015

2418 pages

ISBN:9781450331968

DOI:10.1145/2695664

Conference Chairs:
Roger L. Wainwright
University of Tulsa
,
Juan Manuel Corchado
University of Salamanca, Spain
,
Program Chairs:
Alessio Bechini
University of Pisa, Italy
,
Jiman Hong
Soongsil University, South Korea

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Bayerisches Staatsministerium fur Bildung und Kultus, Wissenschaft und Kunst

Conference

SAC 2015

Sponsor:

SIGAPP

SAC 2015: Symposium on Applied Computing

April 13 - 17, 2015

Salamanca, Spain

Acceptance Rates

SAC '15 Paper Acceptance Rate 291 of 1,211 submissions, 24%;

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
106
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)1

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Fredj OCheikhrouhou OKrichen MHamam HDerhab A(2020)An OWASP Top Ten Driven Survey on Web Application Protection MethodsRisks and Security of Internet and Systems10.1007/978-3-030-68887-5_14(235-252)Online publication date: 4-Nov-2020
https://dl.acm.org/doi/10.1007/978-3-030-68887-5_14

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten