The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.05 - September/October (2010 vol.8)
pp: 48-56
Corrado Visaggio , Univeristy of Sannio, Benevento
ABSTRACT
Many cyber attacks exploit session management vulnerabilities that allow recognition of attackers as valid website users. Under these fake identities, attackers can steal sensitive data, alter private settings, and compromise website structure and content. This article describes Web application design flaws that could be exploited for session management attacks and discusses these flaws' current prevalence.
INDEX TERMS
session management, Web application security, security and privacy
CITATION
Corrado Visaggio, "Session Management Vulnerabilities in Today's Web", IEEE Security & Privacy, vol.8, no. 5, pp. 48-56, September/October 2010, doi:10.1109/MSP.2010.114
REFERENCES
1. Cenzic Web Application Security Trends Report—Q3–Q4, 2009, Cenzic, 2010.
2. C. Soghoian and S. Stamm, "Certified Lies: Detecting and Defeating Government Interception Attacks against SSL," Social Science Research Network, Apr. 2010; http://files.cloudprivacy.netssl-mitm.pdf .
3. "OWASP Top 10 2010 AppSecDC," Open Web Application Security Project Foundation, Nov. 2009; www.owasp.org/index.phpOWASP_Top_10_2010_AppSecDC .
4. D. Stuttard and M. Pinto, The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, John Wiley & Sons, 2008.
5. C. Anley, "Weak Randomness: Part I—Linear Congruential Random Number Generators," Next Generation Security Software, 2007; www.ngssoftware.com/Libraries/Documents02_07_Weak_Randomness.sflb.ashx .
6. "Cross Site Scripting," Web Application Security Consortium, 2009; www.webappsec.org/projects/threat/classes cross-site_scripting.shtml.
7. M. Kolšek, "Session Fixation Vulnerability in Web-Based Applications," Acros Security, Dec. 2002; www.acrossecurity.com/paperssession_fixation.pdf .
8. "OWASP Testing Guide v3," Open Web Application Security Project Foundation, Nov. 2008; www.owasp.org/index.phpOWASP_Testing_Guide_v3_Table_of_Contents .
9. A. Kiezun et al., "Automatic Creation of SQL Injection and Cross-Site Scripting Attacks," Proc. 31st Int'l Conf. Software Eng., IEEE CS Press, 2009, pp. 199–209.
6 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool