Protecting Cookies from Unauthorized Modification by Trusted Domain Verification

• Main Authors: Chung, Kai-Jen, 鍾凱任
• Other Authors: Shieh, Shiuh-Pyng
• Format: Others
• Language: en_US
• Published: 2012
• Online Access: http://ndltd.ncl.edu.tw/handle/50103418472669475985

碩士 === 國立交通大學 === 資訊科學與工程研究所 === 100 === HTTP Cookie is a well-known mechanism for the storage of session and authentication information. However, the current cookie standard does not provide robust integrity protection. Session fixation and cookie eviction are two famous attacks based on the lack of integrity protection for cookies. With cookie sharing technique, attackers at untrusted subdomains of a trusted web site can launch these attacks. This paper proposes a trusted domain verification scheme to equip browsers with the ability to identify unauthorized modifications of authentication cookies. Since web administrators can divide domains in a web site into trusted domains and untrusted domains respectively, browsers can block unauthorized accesses with this information. In contrast to the conventional schemes which can only detect attacks or restrict cookie sharing, trusted domain verification can prevent both session fixation and cookie eviction attacks without breaking the functionality of cookie sharing. The effectiveness and overhead of the proposed scheme is also evaluated.