<div class="csl-bib-body">
<div class="csl-entry">Squarcina, M., Adão, P., Lorenzo Veronese, & Matteo Maffei. (2023). Cookie Crumbles: Breaking and Fixing Web Session Integrity. In J. Calandrino & C. Troncoso (Eds.), <i>SEC ’23: Proceedings of the 32nd USENIX Conference on Security Symposium</i> (pp. 5539–5556). USENIX Association. https://doi.org/10.34726/5329</div>
</div>
-
dc.identifier.uri
http://hdl.handle.net/20.500.12708/191151
-
dc.identifier.uri
https://doi.org/10.34726/5329
-
dc.description.abstract
Cookies have a long history of vulnerabilities targeting their confidentiality and integrity. To address these issues, new mechanisms have been proposed and implemented in browsers and server-side applications. Notably, improvements to the Secure attribute and cookie prefixes aim to strengthen cookie integrity against network and same-site attackers, whereas SameSite cookies have been touted as the solution to CSRF. On the server, token-based protections are considered an effective defense for CSRF in the synchronizer token
pattern variant. In this paper, we question the effectiveness of these protections and study the real-world security implications of cookie integrity issues, showing how security mechanisms previously considered robust can be bypassed, exposing Web applications to session integrity attacks such as session fixation and cross-origin request forgery (CORF). These flaws are not only implementation-specific bugs but are also caused by compositionality issues of security mechanisms or vulnerabilities in the standard. Our research contributed to 12 CVEs, 27 vulnerability disclosures, and updates to the cookie standard. It comprises (i) a thorough cross-browser evaluation of cookie integrity issues, that results in new attacks originating from implementation or specification inconsistencies, and (ii) a security analysis of the top 13 Web frameworks, exposing session integrity vulnerabilities in 9 of them. We discuss our responsible disclosure and propose practical mitigations.
en
dc.description.sponsorship
Europäischer Forschungsrat (ERC)
-
dc.description.sponsorship
Wirtschaftsagentur Wien Ein Fonds der Stadt Wien
-
dc.description.sponsorship
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds
-
dc.language.iso
en
-
dc.rights.uri
http://rightsstatements.org/vocab/InC/1.0/
-
dc.subject
web security
en
dc.subject
web measurement
en
dc.subject
cookies
en
dc.subject
attacks
en
dc.subject
vulnerability
en
dc.subject
session integrity
en
dc.subject
system security
en
dc.title
Cookie Crumbles: Breaking and Fixing Web Session Integrity
en
dc.type
Inproceedings
en
dc.type
Konferenzbeitrag
de
dc.rights.license
Urheberrechtsschutz
de
dc.rights.license
In Copyright
en
dc.identifier.doi
10.34726/5329
-
dc.contributor.affiliation
University of Lisbon, Portugal
-
dc.contributor.editoraffiliation
École Polytechnique Fédérale de Lausanne, Switzerland
-
dc.relation.isbn
978-1-939133-37-3
-
dc.description.startpage
5539
-
dc.description.endpage
5556
-
dc.relation.grantno
771527
-
dc.relation.grantno
ViSP
-
dc.relation.grantno
ICT22-060
-
dc.type.category
Full-Paper Contribution
-
tuw.booktitle
SEC '23: Proceedings of the 32nd USENIX Conference on Security Symposium
-
tuw.peerreviewed
true
-
tuw.relation.publisher
USENIX Association
-
tuw.relation.publisherplace
Berkeley
-
tuw.book.chapter
310
-
tuw.project.title
Foundations and Tools for Client-Side Web Security
-
tuw.project.title
Forschungszentrum für Cybersicherheit und Datenschutz in Wien
-
tuw.project.title
Fixing the Broken Bridge Between Mobile Apps and the Web
-
tuw.researchTopic.id
I1
-
tuw.researchTopic.name
Logic and Computation
-
tuw.researchTopic.value
100
-
tuw.linking
https://dl.acm.org/doi/10.5555/3620237.3620547
-
tuw.publication.orgunit
E192-06 - Forschungsbereich Security and Privacy
-
dc.identifier.libraryid
AC17204842
-
dc.description.numberOfPages
18
-
tuw.author.orcid
0000-0002-3105-0903
-
tuw.author.orcid
0000-0002-4049-1954
-
tuw.author.orcid
0009-0005-0459-6993
-
dc.rights.identifier
Urheberrechtsschutz
de
dc.rights.identifier
In Copyright
en
tuw.event.name
SEC '23: 32nd USENIX Conference on Security Symposium
en
dc.description.sponsorshipexternal
Austrian Research Promotion Agency (FFG
-
dc.description.sponsorshipexternal
Fundação para a Ciência e a Tecnologia
-
dc.description.sponsorshipexternal
Fundação para a Ciência e a Tecnologia
-
dc.description.sponsorshipexternal
European Commission
-
dc.relation.grantnoexternal
COMET K1 SBA
-
dc.relation.grantnoexternal
UIDB/50008/2020
-
dc.relation.grantnoexternal
CMU/TIC/0053/2021
-
dc.relation.grantnoexternal
830892
-
tuw.event.startdate
09-08-2023
-
tuw.event.enddate
11-08-2023
-
tuw.event.online
On Site
-
tuw.event.type
Event for scientific audience
-
tuw.event.place
Anaheim
-
tuw.event.country
US
-
tuw.event.presenter
Marco Squarcina
-
wb.sciencebranch
Informatik
-
wb.sciencebranch
Mathematik
-
wb.sciencebranch.oefos
1020
-
wb.sciencebranch.oefos
1010
-
wb.sciencebranch.value
80
-
wb.sciencebranch.value
20
-
item.fulltext
with Fulltext
-
item.grantfulltext
open
-
item.openairecristype
http://purl.org/coar/resource_type/c_5794
-
item.cerifentitytype
Publications
-
item.languageiso639-1
en
-
item.openairetype
conference paper
-
item.openaccessfulltext
Open Access
-
item.mimetype
application/pdf
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.dept
University of Lisbon
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.orcid
0000-0002-3105-0903
-
crisitem.author.orcid
0000-0002-4049-1954
-
crisitem.author.orcid
0009-0005-0459-6993
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.project.funder
Europäischer Forschungsrat (ERC)
-
crisitem.project.funder
Wirtschaftsagentur Wien Ein Fonds der Stadt Wien
-
crisitem.project.funder
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds
