TY - GEN
T1 - Automated detection of session management vulnerabilities in web applications
AU - Takamatsu, Yusuke
AU - Kosuga, Yuji
AU - Kono, Kenji
PY - 2012/11/6
Y1 - 2012/11/6
N2 - Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge on the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to only enter a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge on the web application. Our experiments demonstrated that our technique could detect vulnerabilities in five web applications deployed in the real world.
AB - Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge on the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to only enter a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge on the web application. Our experiments demonstrated that our technique could detect vulnerabilities in five web applications deployed in the real world.
UR - http://www.scopus.com/inward/record.url?scp=84868244552&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84868244552&partnerID=8YFLogxK
U2 - 10.1109/PST.2012.6297927
DO - 10.1109/PST.2012.6297927
M3 - Conference contribution
AN - SCOPUS:84868244552
SN - 9781467323260
T3 - 2012 10th Annual International Conference on Privacy, Security and Trust, PST 2012
SP - 112
EP - 119
BT - 2012 10th Annual International Conference on Privacy, Security and Trust, PST 2012
T2 - 2012 10th Annual International Conference on Privacy, Security and Trust, PST 2012
Y2 - 16 July 2012 through 18 July 2012
ER -