Thesis
Session armor: protection against session hijacking using per-request authentication
Master of Science (M.S.), Drexel University
Sep 2017
DOI:
https://doi.org/10.17918/etd-7696
Abstract
Modern life increasingly relies upon web applications to provide critical services and infrastructure. Activities of banking, shopping, socializing, entertainment, and even medical record keeping are now primarily conducted using the Internet as a medium and HTTP as a protocol. A critical requirement of these tools is the mechanism by which they authenticate users and prevent transaction replay. Despite more than 20 years of widespread deployment, the de-facto technique for accomplishing these goals is the use of a static session bearer token to authenticate all requests for the lifetime of a user session. In addition, the use of any method to prevent request replay is not in common practice. This thesis presents Session Armor, a protocol which builds upon existing techniques to provide cryptographically-strong per-request authentication with both time-based and optional absolute replay prevention. Session Armor is designed to perform well and to be easily deployed by web application developers. It acts as a layer on top of existing session tokens, so as not to require modification of application logic. In addition to Session Armor, two additional tools are presented, JackHammer, a cross-browser extension that allows developers to quickly discover session hijacking vulnerabilities in their web applications, and SessionJack, a tool for analyzing the security properties of session tokens found on the web. A formal specification of the Session Armor protocol is provided. An implementation of the protocol is included as a Python Django middleware and a Chrome browser extension. Performance data is provided with a comparison to previous methods. A formal validation of secrecy and correspondence properties is presented in the Dolev-Yao model.
Metrics
81 File views/ downloads
21 Record Views
Details
- Title
- Session armor
- Creators
- Andrew J. Sauber - DU
- Contributors
- Harish Sethu (Advisor) - Drexel University (1970-)
- Awarding Institution
- Drexel University
- Degree Awarded
- Master of Science (M.S.)
- Publisher
- Drexel University; Philadelphia, Pennsylvania
- Number of pages
- x, 138 pages
- Resource Type
- Thesis
- Language
- English
- Academic Unit
- College of Engineering (1970-2026); Electrical (and Computer) Engineering (1970-2026); Drexel University
- Other Identifier
- 7696; 991014632071604721