Name
Abstract | ||
|---|---|---|
The term 'Session Fixation vulnerability' subsumes issues in Web applications that under certain circumstances enable the adversary to perform a Session Hijacking attack through controlling the victim's session identifier value. A successful attack allows the attacker to fully impersonate the victim towards the vulnerable Web application. We analyse the vulnerability pattern and identify its root cause in the separation of concerns between the application logic, which is responsible for the authentication processes, and the framework support, which handles the task of session tracking. Based on this result, we present and discuss three distinct server-side measures for mitigating Session Fixation vulnerabilities. Each of our countermeasures is tailored to suit a specific real-life scenario that might be encountered by the operator of a vulnerable Web application. |
Year | DOI | Venue |
|---|---|---|
2011 | 10.1145/1982185.1982511 | SAC |
Keywords | Field | DocType |
vulnerability pattern,application logic,fixation vulnerability,vulnerable web application,reliable protection,session tracking,successful attack,session fixation vulnerability,web application,session identifier value,mitigating session,session fixation attack,separation of concern,hci,nlp,access control | Internet privacy,Authentication,Computer security,Computer science,Session hijacking,Separation of concerns,Session ID,Access control,Web application,Session fixation,Vulnerability | Conference |
Citations | PageRank | References |
15 | 0.83 | 4 |
Authors | ||
4 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Martin Johns | 1 | 342 | 25.56 |
| Bastian Braun | 2 | 30 | 5.10 |
| Michael Schrank | 3 | 25 | 2.38 |
| Joachim Posegga | 4 | 460 | 49.12 |