Surviving the Web: A Journey into Web Session Security
作者: Stefano Calzavara , Riccardo Focardi , Marco Squarcina , Mauro Tempesta
DOI: 10.1145/3038923
关键词:
摘要: In this article, we survey the most common attacks against web sessions, that is, target honest browser users establishing an authenticated session with a trusted application. We then review existing security solutions prevent or mitigate different by evaluating them along four axes: protection, usability, compatibility, and ease of deployment. also assess several defensive aim at providing robust safeguards multiple attacks. Based on survey, identify five guidelines that, to extents, have been taken into account designers proposals reviewed. believe these can be helpful for development innovative approaching in more systematic comprehensive way.
acm.org
sci-hub.se 参考文章(64)
Wilayat Khan, Stefano Calzavara, Michele Bugliesi, Willem De Groef, Frank Piessens, Client Side Web Session Integrity as a Non-interference Property international conference on information systems security. ,vol. 8880, pp. 89- 108 ,(2014) , 10.1007/978-3-319-13841-1_6
Justus Winter, Martin Johns, RequestRodeo: Client Side Protection against Session Riding ,(2006)
Benjamin C. Pierce, Aaron Bohannon, Featherweight Firefox: formalizing the core of a web browser usenix conference on web application development. pp. 11- 11 ,(2010)
Alexei Czeskis, Michael Dietz, Dan S. Wallach, Dirk Balfanz, Origin-bound certificates: a fresh approach to strong client authentication for the web usenix security symposium. pp. 16- 16 ,(2012)
Joel Weinberger, Dawn Song, Adam Barth, Towards client-side HTML security policies usenix conference on hot topics in security. pp. 8- 8 ,(2011)
Mike Ter Louw, Phu H. Phung, Rohini Krishnamurti, Venkat N. Venkatakrishnan, SafeScript: JavaScript Transformation for Policy Enforcement Secure IT Systems. pp. 67- 83 ,(2013) , 10.1007/978-3-642-41488-6_5
Michael Weissbacher, Tobias Lauinger, William Robertson, Why Is CSP Failing? Trends and Challenges in CSP Adoption recent advances in intrusion detection. pp. 212- 233 ,(2014) , 10.1007/978-3-319-11379-1_11
Philippe De Ryck, Nick Nikiforakis, Lieven Desmet, Frank Piessens, Wouter Joosen, Serene: Self-Reliant Client-Side Protection against Session Fixation Distributed Applications and Interoperable Systems. pp. 59- 72 ,(2012) , 10.1007/978-3-642-30823-9_5
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
Philippe De Ryck, Lieven Desmet, Wouter Joosen, Frank Piessens, Automatic and Precise Client-Side Protection against CSRF Attacks Computer Security – ESORICS 2011. pp. 100- 116 ,(2011) , 10.1007/978-3-642-23822-2_6