Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications - Sorbonne Université
Poster De Conférence Année : 2017

Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications

Résumé

Web applications use authentication mechanisms to provide user-friendly content to users. However, some dangerous techniques like session fixation attacks target these mechanisms, by making the legitimate user use a session identifier that is controlled by the attacker. In this way, he can then impersonate the legitimate user without the need to know his credentials. In this paper, we present SAWFIX, a PHP static analyzer that checks web applications for session fixation vulnerabilities. To the best of our knowledge, SAWFIX is the first analyzer that checks exhaustively for this type of vulnerabilities, while the other methods only ensure partial correctness that is limited to a fraction of possible executions. SAWFIX is based on abstract interpretation, which is a theory for approximating the semantics of programs and allows designing static analyzers that are fully automatic and sound by construction. We implemented a prototype of our approach and tested it on several complex web applications. We obtained promising results in terms of detection accuracy and processing time, which reflects the efficiency of our system.
Fichier non déposé

Dates et versions

hal-01522368 , version 1 (14-05-2017)

Identifiants

Citer

Abdelouahab Amira, Abdelraouf Ouadjaout, Abdelouahid Derhab, Nadjib Badache. Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications. CODASPY, Mar 2017, Scottsdale, Arizona, United States. Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, 2017, ⟨10.1145/3029806.3029838⟩. ⟨hal-01522368⟩
154 Consultations
0 Téléchargements

Altmetric

Partager

More