More Web Proxy on the site http://driver.im/

research-article

SessionJuggler: secure web login from an untrusted terminal using session hijacking

Authors:

Elie Bursztein,

John C. MitchellAuthors Info & Claims

WWW '12: Proceedings of the 21st international conference on World Wide Web

Pages 321 - 330

https://doi.org/10.1145/2187836.2187880

Published: 16 April 2012 Publication History

Abstract

We use modern features of web browsers to develop a secure login system from an untrusted terminal. The system, called Session Juggler, requires no server-side changes and no special software on the terminal beyond a modern web browser. This important property makes adoption much easier than with previous proposals. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal. We show that Session Juggler works on all the Alexa top 100 sites except eight. Of those eight, five failures were due to the site enforcing IP session binding. We also show that Session Juggler works flawlessly with Facebook connect. Beyond login, Session Juggler also provides a secure logout mechanism where the trusted phone is used to kill the session. To validate the session juggling concept we conducted a number of web site surveys that are of independent interest. First, we survey how web sites bind a session token to a specific device and show that most use fairly basic techniques that are easily defeated. Second, we survey how web sites handle logout and show that many popular sites surprisingly do not properly handle logout requests.

References

[1]

41st Parameters. Deviceinsight. http://www.the41.com/land/DeviceID.asp.

[2]

B. Adida. Sessionlock: Securing web sessions against eavesdropping. InWorld Wide Web, 2008.

Digital Library

[3]

B. Adida, A. Barth, and C. Jackson. Rootkits for javascript environments. In Proc. of 3rd USENIX Workshop on Offensive Technologies (WOOT 2009), 2009.

Digital Library

[4]

G. Aggarwal, E. Bursztein, C. Jackson, and D. Boneh. An analysis of private browsing modes in modern browsers. In Usenix Security, 2010.

Digital Library

[5]

O. Alliance. Ajax and mashup security. Technical report, Open Ajax Alliance, 2008.

[6]

F. Aloul, S. Zahidi, and W. El-Hajj. Two factor authentication using mobile phones. In Computer Systems and Applications, 2009. AICCSA 2009. IEEE/ACS International Conference on, pages 641--644. IEEE, 2009.

[7]

D. Balfanz and E. Felten. Hand-held computers can be better smart cards. In Proceedings of the 8th conference on USENIX Security Symposium-Volume 8, page 2. USENIX Association, 1999.

Digital Library

[8]

H. Bojinov, E. Bursztein, X. Boyen, and D. Boneh. Kamouflage: Loss-resistant password management. In Proc. of ESORICS'10, 2010.

Digital Library

[9]

E. Butler. Firesheep. http://en.wikipedia.org/wiki/Firesheep.

[10]

E. Butler and I. Gallagher. Hey web 2.0: Start protecting user privacy instead of pretending to. ToorCon 2010, 2010. sandiego.toorcon.org.

[11]

O. community. Request for comments: 5849 the oauth 1.0 protocol.http://tools.ietf.org/html/rfc5849, 2010.

[12]

D. Dasgupta and R. Azeem. An Investigation of Negative Authentication Systems. InProceedings of 3rd International Conference on Information Warfare and Security.

[13]

D. de Borde and S. Consulting. Two-factor authentication. Siemens Enterprise Communications UK-Security Solutions, 2008.

[14]

P. Eckersley. How unique is your web browser? In Proc. of PETS 2010, number 6205 in LNCS, pages 1--18, 2010.

Digital Library

[15]

U. Erlingsson, B. Livshits, and Y. Xie. End-to-end web application security. In Proceedings of the 11th USENIX workshop on Hot topics in operating systems, pages 1--6. USENIX Association, 2007.

Digital Library

[16]

D. Florencio and C. Herley. A large-scale study of web password habits. In Proceedings of the 16th international conference on World Wide Web, pages 657--666. ACM, 2007.

Digital Library

[17]

S. Garriss, R. Cáceres, S. Berger, R. Sailer, L. van Doorn, and X. Zhang. Trustworthy and personalized computing on public kiosks. In Proceeding of the 6th international conference on Mobile systems, applications, and services, pages 199--210. ACM, 2008.

Digital Library

[18]

R. Gill, J. Smith, and A. Clark. Experiences in passively detecting session hijacking attacks in IEEE 802.11 networks. In Proceedings of the 2006 Australasian workshops on Grid computing and e-research-Volume 54, pages 221--230. Australian Computer Society, Inc., 2006.

Digital Library

[19]

Google. Google hall of fame. http://www.google.com/about/corporate/company/halloffame.html.

[20]

A. M. Hagalisletto. Analyzing two-factor authentication devices.

[21]

C. Jackson, D. Boneh, and J. Mitchell. Transaction generators: Root kits for the web. In Proc. of the 2nd USENIX Workshop on Hot Topics in Security, 2007.

Digital Library

[22]

M. Johns. SessionSafe: Implementing XSS immune session handling.Computer Security-ESORICS 2006, pages 444--460, 2006.

Digital Library

[23]

N. Johnston. Scareware haunts airport internet terminals, 2010. symantec.com/connect/blogs/scareware-haunts-airport-internet-terminals.

[24]

F. Kerschbaum. Simple cross-site attack prevention. In Security and Privacy in Communications Networks and the Workshops, 2007. Secure Comm 2007. Third International Conference on, pages 464--472. IEEE, 2008.

[25]

V. Khu-smith and C. Mitchell. Enhancing the security of cookies.Information Security and Cryptology--ICISC 2001, pages 197--230, 2002.

[26]

R. Laboratories. One-time password specifications (otps). http://www.rsa.com/rsalabs/node.asp?id=2816.

[27]

M. Mannan and P. Van Oorschot. Using a personal device to strengthen password authentication from an untrusted computer. In Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security, pages 88--103. Springer-Verlag, 2007.

Digital Library

[28]

Microsoft. Security researcher acknowledgments for microsoft online services.http://technet.microsoft.com/en-us/security/cc308589, Oct 2011.

[29]

A. Oprea, D. Balfanz, G. Durfee, and D. Smetters. Securing a remote terminal application with a mobile trusted device. 2004.

Digital Library

[30]

S. N. Patel, J. S. Pierce, and G. D. Abowd. A gesture-based authentication scheme for untrusted public terminals. In UIST '04: Proceedings of the 17th annual ACM symposium on User interface software and technology, pages 157--160, New York, NY, USA, 2004. ACM.

Digital Library

[31]

H. Qian, C. Surapaneni, S. Dispensa, and D. Medhi. Service management architecture and system capacity design for phone factor: A two-factor authentication service. Integrated Network Management, 2009. IM '09. IFIP/IEEE International Symposium on, pages 73--80, jun. 2009.

Digital Library

[32]

G. Rydstedt, B. Gourdin, E. Bursztein, and D. Boneh. Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks. In Proceedings of the 4th USENIX conference on Offensive technologies, pages 1--8. USENIX Association, 2010.

Digital Library

[33]

E. Security. Sidejacking. http://erratasec.blogspot.com/2008/01/more-sidejacking.html, 2008.

[34]

R. Sharp, A. Madhavapeddy, R. Want, and T. Pering. Enhancing web browsing security on public terminals using mobile composition. In Proceedings of the 6th international conference on Mobile systems, applications, and services, pages 94--105. ACM, 2008.

Digital Library

[35]

R. Sharp, J. Scott, and A. Beresford. Secure mobile computing via public terminals.Pervasive Computing, pages 238--253, 2006.

Digital Library

[36]

Shishir. Top 30 interesting facebook figures. http://www.shishirk.com/2011/02/interesting-facebook-figures/, Feb 2011.

[37]

E. Stark, M. Hamburg, and D. Boneh. Fast symmetric cryptography in javascript. InProc. of ACSAC 2009, 2009.

Digital Library

[38]

R. Toegl. Tagging the turtle: local attestation for kiosk computing.Advances in Information Security and Assurance, pages 60--69, 2009.

Digital Library

[39]

A. van Kesteren. Cross-origin resource sharing. Technical report, W3C, July 2010.

[40]

Wikipedia. Blackboard system.http://en.wikipedia.org/wiki/Blackboard_system.

Cited By

Yang ZXu RLin QWu SMao JLiang Z(2024)Securing Web Inputs Using Parallel Session AttachmentsSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_10(189-208)Online publication date: 15-Oct-2024
https://doi.org/10.1007/978-3-031-64954-7_10
Gu LXu HLi ZChen ZJin H(2023)Container Session Level Traffic Prediction From Network Interface UsageIEEE Transactions on Sustainable Computing10.1109/TSUSC.2023.32525958:3(400-411)Online publication date: 1-Jul-2023
https://doi.org/10.1109/TSUSC.2023.3252595
Calzavara SJonker HKrumnow BRabitti A(2021)Measuring Web Session Security at ScaleComputers and Security10.1016/j.cose.2021.102472111:COnline publication date: 1-Dec-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102472
Show More Cited By

Index Terms

SessionJuggler: secure web login from an untrusted terminal using session hijacking
1. Security and privacy
  1. Security services
    1. Authentication

Recommendations

Security Busters

URL blacklists are used by the majority of modern web browsers as a means to protect users from rogue web sites, i.e. those serving malware and/or hosting phishing scams. There is a plethora of URL blacklists/reputation services, out of which Google's ...
Man-in-the-browser-cache

In this paper, we present a systematic study of browser cache poisoning (BCP) attacks, wherein a network attacker performs a one-time Man-In-The-Middle (MITM) attack on a user's HTTPS session, and substitutes cached resources with malicious ones. We ...
Forcehttps: protecting high-security web sites from network attacks
WWW '08: Proceedings of the 17th international conference on World Wide Web

As wireless networks proliferate, web browsers operate in an increasingly hostile network environment. The HTTPS protocol has the potential to protect web users from network attackers, but real-world deployments must cope with misconfigured servers, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

WWW '12: Proceedings of the 21st international conference on World Wide Web

April 2012

1078 pages

ISBN:9781450312295

DOI:10.1145/2187836

General Chairs:
Alain Mille
Université de Lyon, France
,
Fabien Gandon
INRIA, France
,
Jacques Misselis
HP, France
,
Program Chairs:
Michael Rabinovich
Case Western Reserve University, USA
,
Steffen Staab
University of Koblenz-Landau, Germany

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Univ. de Lyon: Universite de Lyon

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 April 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW 2012

Sponsor:

Univ. de Lyon

WWW 2012: 21st World Wide Web Conference 2012

April 16 - 20, 2012

Lyon, France

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
630
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)1

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yang ZXu RLin QWu SMao JLiang Z(2024)Securing Web Inputs Using Parallel Session AttachmentsSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_10(189-208)Online publication date: 15-Oct-2024
https://doi.org/10.1007/978-3-031-64954-7_10
Gu LXu HLi ZChen ZJin H(2023)Container Session Level Traffic Prediction From Network Interface UsageIEEE Transactions on Sustainable Computing10.1109/TSUSC.2023.32525958:3(400-411)Online publication date: 1-Jul-2023
https://doi.org/10.1109/TSUSC.2023.3252595
Calzavara SJonker HKrumnow BRabitti A(2021)Measuring Web Session Security at ScaleComputers and Security10.1016/j.cose.2021.102472111:COnline publication date: 1-Dec-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102472
Chen MDai FYan BCheng J(2020)Encryption Algorithm for TCP Session HijackingArtificial Intelligence and Security10.1007/978-3-030-57881-7_17(191-202)Online publication date: 17-Jul-2020
https://dl.acm.org/doi/10.1007/978-3-030-57881-7_17
Yang ZLiang Z(2018)Automated identification of sensitive data from implicit user specificationCybersecurity10.1186/s42400-018-0011-x1:1Online publication date: 29-Sep-2018
https://doi.org/10.1186/s42400-018-0011-x
Marx MBlochberger MBurkert CHerrmann DFederrath H(2018)Privatsphäre als inhärente Eigenschaft eines Kommunikationsnetzes am Beispiel einer Anonymisierungslösung für IPv6Die Fortentwicklung des Datenschutzes10.1007/978-3-658-23727-1_12(209-223)Online publication date: 5-Oct-2018
https://doi.org/10.1007/978-3-658-23727-1_12
Yang ZLiang Z(2018)Automated Identification of Sensitive Data via Flexible User RequirementsSecurity and Privacy in Communication Networks10.1007/978-3-030-01701-9_9(151-171)Online publication date: 29-Dec-2018
https://doi.org/10.1007/978-3-030-01701-9_9
Davidson DChen YGeorge FLu LJha SKarri RSinanoglu OSadeghi AYi X(2017)Secure Integration of Web Content and Applications on Commodity Mobile Operating SystemsProceedings of the 2017 ACM on Asia Conference on Computer and Communications Security10.1145/3052973.3052998(652-665)Online publication date: 2-Apr-2017
https://dl.acm.org/doi/10.1145/3052973.3052998
Premarathne UKhalil I(2014)Multiplicative Attributes Graph Approach for Persistent Authentication in Single-Sign-On Mobile SystemsProceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications10.1109/TrustCom.2014.33(221-228)Online publication date: 24-Sep-2014
https://dl.acm.org/doi/10.1109/TrustCom.2014.33
Braun BKoestler JPosegga JJohns M(2014)A Trusted UI for the Mobile WebICT Systems Security and Privacy Protection10.1007/978-3-642-55415-5_11(127-141)Online publication date: 2014
https://doi.org/10.1007/978-3-642-55415-5_11
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents