Automatically Checking for Session Management Vulnerabilities in Web Applications
スポンサーリンク
概要
- 論文の詳細を見る
Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world.
著者
-
KONO Kenji
Keio Univ.
-
Kono Kenji
Keio University
-
Takamatsu Yusuke
Keio University
-
Kosuga Yuji
Everforth Co., Ltd.
関連論文
- 「手段」としての仮想マシン技術の研究(平成21年度論文賞の受賞論文紹介)
- Reducing Security Policy Size for Internet Servers in Secure Operating Systems
- Filtering False Positives Based on Server-Side Behaviors
- Windows PC をグリッド環境で利用するための軽量 Linux バイナリ実行システム
- User-level Enforcement of Appropriate Background Process Execution
- TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems(Dependable Computing)
- Using a Virtual Machine Monitor to Slow Down CPU Speed for Embedded Time-Sensitive Software Testing
- Using a Virtual Machine Monitor to Slow Down CPU Speed for Embedded Time-Sensitive Software Testing
- A State-Aware Protocol Fuzzer Based on Application-Layer Protocols
- Clustering Performance Anomalies Based on Similarity in Processing Time Changes
- MashCache: Taming Flash Crowds by Using Their Good Features
- Lightweight Recovery from Kernel Failures Using Phase-based Reboot
- Lightweight Recovery from Kernel Failures Using Phase-based Reboot
- MashCache: Taming Flash Crowds by Using Their Good Features
- Using Fault Injection to Analyze the Scope of Error Propagation in Linux
- Honeyguide: A VM Migration-Aware Network Topology for Saving Energy Consumption in Data Center Networks
- Automatically Checking for Session Management Vulnerabilities in Web Applications
- DiscNice: User-level Regulation of Disk Bandwidth