TY - GEN
T1 - Half-baked cookies
T2 - 11th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2016
AU - Mundada, Yogesh
AU - Feamster, Nick
AU - Krishnamurthy, Balachander
N1 - Publisher Copyright:
Copyright 2016 ACM.
PY - 2016/5/30
Y1 - 2016/5/30
N2 - Modern websites use multiple authentication cookies to allow visitors to the site different levels of access. The complexity of modern web applications can make it difficult for a web application programmer to ensure that the use of authentication cookies does not introduce vulnerabilities. Even when a programmer has access to all of the source code, this analysis can be challenging; the problem becomes even more vexing when web programmers cobble together off-the-shelf libraries to implement authentication. We have assembled a checklist for modern web programmers to verify that the cookie based authentication mechanism is securely implemented. Then, we developed a tool, Newton, to help a web application programmer to identify authentication cookies for specific parts of the website and to verify that they are securely implemented according to the checklist. We used Newton to analyze 149 sites, including the Alexa top-200 and many other popular sites across a range of categories including search, shopping, and finance. We found that 113 of them- including high-profile sites such as Yahoo, Amazon, and Fidelity-were vulnerable to hijacking attacks. Many websites have already acknowledged and fixed the vulnerabilities that we found using Newton and reported to them.
AB - Modern websites use multiple authentication cookies to allow visitors to the site different levels of access. The complexity of modern web applications can make it difficult for a web application programmer to ensure that the use of authentication cookies does not introduce vulnerabilities. Even when a programmer has access to all of the source code, this analysis can be challenging; the problem becomes even more vexing when web programmers cobble together off-the-shelf libraries to implement authentication. We have assembled a checklist for modern web programmers to verify that the cookie based authentication mechanism is securely implemented. Then, we developed a tool, Newton, to help a web application programmer to identify authentication cookies for specific parts of the website and to verify that they are securely implemented according to the checklist. We used Newton to analyze 149 sites, including the Alexa top-200 and many other popular sites across a range of categories including search, shopping, and finance. We found that 113 of them- including high-profile sites such as Yahoo, Amazon, and Fidelity-were vulnerable to hijacking attacks. Many websites have already acknowledged and fixed the vulnerabilities that we found using Newton and reported to them.
UR - http://www.scopus.com/inward/record.url?scp=84979701204&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84979701204&partnerID=8YFLogxK
U2 - 10.1145/2897845.2897889
DO - 10.1145/2897845.2897889
M3 - Conference contribution
AN - SCOPUS:84979701204
T3 - ASIA CCS 2016 - Proceedings of the 11th ACM Asia Conference on Computer and Communications Security
SP - 675
EP - 686
BT - ASIA CCS 2016 - Proceedings of the 11th ACM Asia Conference on Computer and Communications Security
PB - Association for Computing Machinery, Inc
Y2 - 30 May 2016 through 3 June 2016
ER -