Paper Info
Title
Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications.
Abstract
Web applications use authentication mechanisms to provide user-friendly content to users. However, some dangerous techniques like session fixation attacks target these mechanisms, by making the legitimate user use a session identifier that is controlled by the attacker. In this way, he can then impersonate the legitimate user without the need to know his credentials. In this paper, we present SAWFIX, a PHP static analyzer that checks web applications for session fixation vulnerabilities. To the best of our knowledge, SAWFIX is the first analyzer that checks exhaustively for this type of vulnerabilities, while the other methods only ensure partial correctness that is limited to a fraction of possible executions. SAWFIX is based on abstract interpretation, which is a theory for approximating the semantics of programs and allows designing static analyzers that are fully automatic and sound by construction. We implemented a prototype of our approach and tested it on several complex web applications. We obtained promising results in terms of detection accuracy and processing time, which reflects the efficiency of our system.
Year
DOI
Venue
2017
10.1145/3029806.3029838
CODASPY
Keywords
Field
DocType
Session fixation attacks, Web application security, Static program analysis, Abstract interpretation
Static program analysis,Authentication,Computer security,Abstract interpretation,Computer science,Static analysis,Session ID,Web application security,Web application,Session fixation
Conference
Citations 
PageRank 
References 
0
0.34
4
Authors
4
Name
Order
Citations
PageRank
Abdelouahab Amira100.34
Abdelraouf Ouadjaout213912.17
Abdelouahid Derhab327732.68
Nadjib Badache461260.98