Montag, 5. März 2007
Maddin, 5. März 2007 um 16:46:28 MEZ Paper: SessionSafe - Implementing XSS Immune Session Handling My SessionSafe-paper is online for quite a while now, but I never found the time to write about it. The paper describes three methods that, if used in combination, allow to protect web applications against session hijacking even in situations when a XSS attack already successfully injected malicious JavaScript code into the application. XSS problems are not always caused by flaws in the web application itself. Instead they may arise due to external factors, like the expect header problem, vulnerable browser extensions (e.g., the Adobe PDF UXSS), or unwise usage of eval() in Greasemonkey-scripts. For this reason such a second line of defence is useful even if an web application is well audited and believed to be secure. The paper was presented at ESORICS 2006 and published in the conference's proceedings. Abstract (fat free version): In hindsight I tend to consider the JavaScript based Randomizer object to be the weakest part of the paper as I am not fully convinced that some JavaScript implementation might not provide a non-standard mechanism to either obtain the encapsulated list of nonces or hijack the document.location property. E.g., one of the paper's reviewers warned about an attacker that tries to overwrite the setter-function of the document.location property. While Kuzza55 showed how to counter such an attempt, the whole business still leaves an uneasy feeling. However even the combination of Deferred Loading and Subdomain Switching still provides decent enough protection, as I have discussed in my ph-neutral 0x7d6 presentation. Also implementing the Randomizer object either in Flash or as a Java applet should get rid of my JavaScript worries. Misc. remarks and updates: A closing remark: The research that did lead to this paper was probably the most fun I yet had in academia.
|
online for 8451 Days
last updated: 09.04.14, 16:14 Youre not logged in ... Login
click:
Martin Welt martinjohns.com Tumbling Nerd Alert Blogroll doomicile foobla simonox Podroll IT Conversations The Podcast about nothing |