Half-baked cookies: Hardening cookie-based authentication for the modern web

Yogesh Mundada, Nick Feamster, Balachander Krishnamurthy

Research output: Chapter in Book/Report/Conference proceedingConference contribution

15 Scopus citations

Abstract

Modern websites use multiple authentication cookies to allow visitors to the site different levels of access. The complexity of modern web applications can make it difficult for a web application programmer to ensure that the use of authentication cookies does not introduce vulnerabilities. Even when a programmer has access to all of the source code, this analysis can be challenging; the problem becomes even more vexing when web programmers cobble together off-the-shelf libraries to implement authentication. We have assembled a checklist for modern web programmers to verify that the cookie based authentication mechanism is securely implemented. Then, we developed a tool, Newton, to help a web application programmer to identify authentication cookies for specific parts of the website and to verify that they are securely implemented according to the checklist. We used Newton to analyze 149 sites, including the Alexa top-200 and many other popular sites across a range of categories including search, shopping, and finance. We found that 113 of them- including high-profile sites such as Yahoo, Amazon, and Fidelity-were vulnerable to hijacking attacks. Many websites have already acknowledged and fixed the vulnerabilities that we found using Newton and reported to them.

Original languageEnglish (US)
Title of host publicationASIA CCS 2016 - Proceedings of the 11th ACM Asia Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery, Inc
Pages675-686
Number of pages12
ISBN (Electronic)9781450342339
DOIs
StatePublished - May 30 2016
Event11th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2016 - Xi'an, China
Duration: May 30 2016Jun 3 2016

Publication series

NameASIA CCS 2016 - Proceedings of the 11th ACM Asia Conference on Computer and Communications Security

Other

Other11th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2016
Country/TerritoryChina
CityXi'an
Period5/30/166/3/16

All Science Journal Classification (ASJC) codes

  • Computer Science Applications
  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Half-baked cookies: Hardening cookie-based authentication for the modern web'. Together they form a unique fingerprint.

Cite this