This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Session Management Vulnerabilities in Today's Web
September/October 2010 (vol. 8 no. 5)
pp. 48-56
Corrado Visaggio, Univeristy of Sannio, Benevento
Many cyber attacks exploit session management vulnerabilities that allow recognition of attackers as valid website users. Under these fake identities, attackers can steal sensitive data, alter private settings, and compromise website structure and content. This article describes Web application design flaws that could be exploited for session management attacks and discusses these flaws' current prevalence.

1. Cenzic Web Application Security Trends Report—Q3–Q4, 2009, Cenzic, 2010.
2. C. Soghoian and S. Stamm, "Certified Lies: Detecting and Defeating Government Interception Attacks against SSL," Social Science Research Network, Apr. 2010; http://files.cloudprivacy.netssl-mitm.pdf .
3. "OWASP Top 10 2010 AppSecDC," Open Web Application Security Project Foundation, Nov. 2009; www.owasp.org/index.phpOWASP_Top_10_2010_AppSecDC .
4. D. Stuttard and M. Pinto, The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, John Wiley & Sons, 2008.
5. C. Anley, "Weak Randomness: Part I—Linear Congruential Random Number Generators," Next Generation Security Software, 2007; www.ngssoftware.com/Libraries/Documents02_07_Weak_Randomness.sflb.ashx .
6. "Cross Site Scripting," Web Application Security Consortium, 2009; www.webappsec.org/projects/threat/classes cross-site_scripting.shtml.
7. M. Kolšek, "Session Fixation Vulnerability in Web-Based Applications," Acros Security, Dec. 2002; www.acrossecurity.com/paperssession_fixation.pdf .
8. "OWASP Testing Guide v3," Open Web Application Security Project Foundation, Nov. 2008; www.owasp.org/index.phpOWASP_Testing_Guide_v3_Table_of_Contents .
9. A. Kiezun et al., "Automatic Creation of SQL Injection and Cross-Site Scripting Attacks," Proc. 31st Int'l Conf. Software Eng., IEEE CS Press, 2009, pp. 199–209.
1. C. Jackson and A. Barth, "ForceHTTPS: Protecting High-Security Web Sites from Network Attacks," Proc. 17th Int'l World Wide Web Conf., ACM Press, 2008, pp. 225–233.
2. M. Johns and J. Winter, "RequestRodeo: Client Side Protection against Session Riding," Proc. OWASP Europe 2006 Conf., 2006; www.informatik.uni-hamburg.de/SVS/papers 2006_owasp_RequestRodeo.pdf.
3. L. von Ahn et al., "Captcha: Using Hard AI Problems for Security," Proc. Int'l Conf. Theory and Application Cryptographic Techniques, Springer, 2003, pp. 294–311; www.captcha.netcaptcha_crypt.pdf.
4. A. Barth, C. Jackson, and J.C. Mitchell, "Robust Defenses for Cross-Site Request Forgery," Proc. 15th ACM Conf. Computer and Communications Security, ACM Press, 2008, pp. 75–87.
5. A. Kiezun et al., "Automatic Creation of SQL Injection and Cross-Site Scripting Attacks," Proc. 31st Int'l Conf. Software Eng., IEEE CS Press, 2009, pp. 199–209.

Index Terms:
session management, Web application security, security and privacy
Citation:
Corrado Visaggio, "Session Management Vulnerabilities in Today's Web," IEEE Security & Privacy, vol. 8, no. 5, pp. 48-56, Sept.-Oct. 2010, doi:10.1109/MSP.2010.114
Usage of this product signifies your acceptance of the Terms of Use.