-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathintroduction.tex
18 lines (12 loc) · 3.05 KB
/
introduction.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
\chapter{Introduction}
Over the last few years, the web has shifted from being a collection of pages containing static information to a dynamic and fully interactive platform. Where the Internet was once used only as an information repository, today it powers complex web applications, developed both to replace programs that used to run locally on a user's computer, and to provide whole new functionality that is possible only on the web. For this, web protocols are used and extended in ways they were never imagined to be.
Increasingly, these web applications deal with sensitive personal information. Thanks to the emergence of web-based mail applications like Google's GMail and Microsoft's Hotmail, and social networking websites like Facebook and Netlog, a great deal of user information is stored on the servers of web applications. Moreover, shops have moved to the online world, and payments can be made online by using online banking or credit cards. Because many web applications couple sensitive data to the user's account, confidentiality of the user's authentication information is of utmost importance.
Most web applications handle user authentication via the concept of web sessions. These allow users to use a web application without having to enter their login credentials for every action taken. Unfortunately, web sessions have many security weaknesses. OWASP, a leading organization in the field of web application security, rates `Broken Authentication and Session Management' as the third most important web application security risk \cite{Williams2010}. Furthermore, many high-profile web applications are vulnerable to attacks on session management: YouTube and Twitter are two examples of web applications that used to contain such vulnerabilities in the past \cite{youtubevulnerability,twittervulnerability}.
A problem is that users of a web application have to trust the developer of the application to take the necessary security precautions. The web developer, on the other hand, may consider such precautions to be too difficult or too costly, leaving the users unprotected. Moreover, the web developer might not even know that his web application contains security vulnerabilities. To enable users to protect themselves against session attacks, regardless of the web applications being secure, a client-side tool offering protection against these attacks is needed.
In this thesis, we examine the security of sessions in web applications. Our contributions are as follows:
\begin{itemize}
\item We provide a complete overview of three important session attacks, together with a list of possible attack vectors for each of these attacks.
\item We thoroughly evaluate different solutions that were proposed over the years to improve session security.
\item We inspect to what extent popular web frameworks provide protection against session attacks.
\item We propose a novel client-side approach to solving two important session attacks, and we implement our policy as an add-on for the Firefox web browser. We also provide an extensive evaluation of our add-on.
\end{itemize}