WEKO3
アイテム
Automatically Checking for Session Management Vulnerabilities in Web Applications
https://ipsj.ixsq.nii.ac.jp/records/89936
https://ipsj.ixsq.nii.ac.jp/records/8993651eecd3c-bf94-48b8-be68-d62662ae8e31
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-TACS0601005.pdf (956.4 kB)
|
Copyright (c) 2013 by the Information Processing Society of Japan
|
|
| オープンアクセス | ||
| Item type | Trans(1) | |||||||
|---|---|---|---|---|---|---|---|---|
| 公開日 | 2013-01-31 | |||||||
| タイトル | ||||||||
| タイトル | Automatically Checking for Session Management Vulnerabilities in Web Applications | |||||||
| タイトル | ||||||||
| 言語 | en | |||||||
| タイトル | Automatically Checking for Session Management Vulnerabilities in Web Applications | |||||||
| 言語 | ||||||||
| 言語 | eng | |||||||
| キーワード | ||||||||
| 主題Scheme | Other | |||||||
| 主題 | [ウェブアプリケーション] web application security, session management, vulnerability, session fixation, cross site request forgery | |||||||
| 資源タイプ | ||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||
| 資源タイプ | journal article | |||||||
| 著者所属 | ||||||||
| Keio University | ||||||||
| 著者所属 | ||||||||
| Everforth Co., Ltd. | ||||||||
| 著者所属 | ||||||||
| Keio University / JST CREST | ||||||||
| 著者所属(英) | ||||||||
| en | ||||||||
| Keio University | ||||||||
| 著者所属(英) | ||||||||
| en | ||||||||
| Everforth Co., Ltd. | ||||||||
| 著者所属(英) | ||||||||
| en | ||||||||
| Keio University / JST CREST | ||||||||
| 著者名 |
Yusuke, Takamatsu
× Yusuke, Takamatsu
|
|||||||
| 著者名(英) |
Yusuke, Takamatsu
× Yusuke, Takamatsu
|
|||||||
| 論文抄録 | ||||||||
| 内容記述タイプ | Other | |||||||
| 内容記述 | Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world. | |||||||
| 論文抄録(英) | ||||||||
| 内容記述タイプ | Other | |||||||
| 内容記述 | Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge of the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to enter only a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge of the web application. Our experiments demonstrated that our technique could detect vulnerabilities in a web application we built and in seven web applications deployed in the real world. | |||||||
| 書誌レコードID | ||||||||
| 収録物識別子タイプ | NCID | |||||||
| 収録物識別子 | AA11833852 | |||||||
| 書誌情報 |
情報処理学会論文誌コンピューティングシステム(ACS) 巻 6, 号 1, p. 45-55, 発行日 2013-01-31 |
|||||||
| ISSN | ||||||||
| 収録物識別子タイプ | ISSN | |||||||
| 収録物識別子 | 1882-7829 | |||||||
| 出版者 | ||||||||
| 言語 | ja | |||||||
| 出版者 | 情報処理学会 | |||||||
