Protecting Cookies from Unauthorized Modification by Trusted Domain Verification
碩士 === 國立交通大學 === 資訊科學與工程研究所 === 100 === HTTP Cookie is a well-known mechanism for the storage of session and authentication information. However, the current cookie standard does not provide robust integrity protection. Session fixation and cookie eviction are two famous attacks based on the lack o...
| Main Authors: | , |
|---|---|
| Other Authors: | |
| Format: | Others |
| Language: | en_US |
| Published: |
2012
|
| Online Access: | http://ndltd.ncl.edu.tw/handle/50103418472669475985 |
| Summary: | 碩士 === 國立交通大學 === 資訊科學與工程研究所 === 100 === HTTP Cookie is a well-known mechanism for the storage of session and authentication information. However, the current cookie standard does not provide robust integrity protection. Session fixation and cookie eviction are two famous attacks based on the lack of integrity protection for cookies. With cookie sharing technique, attackers at untrusted subdomains of a trusted web site can launch these attacks. This paper proposes a trusted domain verification scheme to equip browsers with the ability to identify unauthorized modifications of authentication cookies. Since web administrators can divide domains in a web site into trusted domains and untrusted domains respectively, browsers can block unauthorized accesses with this information. In contrast to the conventional schemes which can only detect attacks or restrict cookie sharing, trusted domain verification can prevent both session fixation and cookie eviction attacks without breaking the functionality of cookie sharing. The effectiveness and overhead of the proposed scheme is also evaluated.
|
|---|