HAL TEI export of hal-01522368

HAL TEI export of hal-01522368 CCSD CC0 1.0 - Universal

HAL API Platform

Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications Abdelouahab Amira 1169896-0 Abdelraouf Ouadjaout 88071e6e43bfa8cdedf09199c9a4736e lip6.fr aouadjaout 9404 40114-9404 https://orcid.org/0000-0001-7248-5914 https://www.idref.fr/253126290 Abdelouahid Derhab 777859 1023508-777859 https://orcid.org/0000-0002-6498-1528 Nadjib Badache 235503-0 Abdelraouf Ouadjaout 88071e6e43bfa8cdedf09199c9a4736e lip6.fr 2017-05-14 20:44:17 2023-04-11 15:16:28 2017-05-14 20:44:17 2017-03-22 contributor Abdelraouf Ouadjaout 88071e6e43bfa8cdedf09199c9a4736e lip6.fr CCSD hal-01522368 https://hal.sorbonne-universite.fr/hal-01522368 amira:hal-01522368 <i>CODASPY</i>, Mar 2017, Scottsdale, Arizona, United States. Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, 2017, <a target="_blank" href="https://dx.doi.org/10.1145/3029806.3029838">⟨10.1145/3029806.3029838⟩</a> CODASPY, Mar 2017, Scottsdale, Arizona, United States. Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, 2017, ⟨10.1145/3029806.3029838⟩ Université Pierre et Marie Curie CNRS - Centre national de la recherche scientifique Laboratoire d'Informatique de Paris 6 UPMC Pôle 1 Sorbonne Université Faculté des Sciences de Sorbonne Université Collection test HAL CNRS Alliance Sorbonne Université International No No Yes Yes Sound and Static Analysis of Session Fixation Vulnerabilities in PHP Web Applications Abdelouahab Amira 1169896-0 Abdelraouf Ouadjaout 88071e6e43bfa8cdedf09199c9a4736e lip6.fr aouadjaout 9404 40114-9404 https://orcid.org/0000-0001-7248-5914 https://www.idref.fr/253126290 Abdelouahid Derhab 777859 1023508-777859 https://orcid.org/0000-0002-6498-1528 Nadjib Badache 235503-0 CODASPY 2017-03-22 Scottsdale, Arizona United States conferenceOrganizer ACM 2017-03-22 10.1145/3029806.3029838 English Computer Science [cs]/Programming Languages [cs.PL] Conference poster Conference poster Conference poster

Web applications use authentication mechanisms to provide user-friendly content to users. However, some dangerous techniques like session fixation attacks target these mechanisms, by making the legitimate user use a session identifier that is controlled by the attacker. In this way, he can then impersonate the legitimate user without the need to know his credentials. In this paper, we present SAWFIX, a PHP static analyzer that checks web applications for session fixation vulnerabilities. To the best of our knowledge, SAWFIX is the first analyzer that checks exhaustively for this type of vulnerabilities, while the other methods only ensure partial correctness that is limited to a fraction of possible executions. SAWFIX is based on abstract interpretation, which is a theory for approximating the semantics of programs and allows designing static analyzers that are fully automatic and sound by construction. We implemented a prototype of our approach and tested it on several complex web applications. We obtained promising results in terms of detection accuracy and processing time, which reflects the efficiency of our system.

Centre de recherche sur l'Information Scientifique et Technique CERIST

5 rue des trois frères Aissou Ben Aknoun Alger

http://www.cerist.dz/ Algorithmes, Programmes et Résolution APR 2008-10-01 2017-12-31

Center of Excellence in Information Assurance CoEIA

Université des Sciences et de la Technologie Houari Boumediene = University of Sciences and Technology Houari Boumediene [Alger] USTHB

BP 32 EL Alia 16111 Bab Ezzouar, Alger

http://www.usthb.dz/ Ministère de l'Education nationale, de l’Enseignement supérieur et de la Recherche M.E.N.E.S.R.

1 rue Descartes - 75231 Paris cedex 05

199712651U https://ror.org/05krcen59 Laboratoire d'Informatique de Paris 6 LIP6 1997-01-01 2017-12-31

4 Place JUSSIEU 75252 PARIS CEDEX 05

http://www.lip6.fr/ https://ror.org/02en5vm52 Université Pierre et Marie Curie - Paris 6 UPMC 2017-12-31

4 place Jussieu - 75005 Paris

http://www.upmc.fr/ 02636817X 0000000122597504 https://ror.org/02feahw73 Centre National de la Recherche Scientifique CNRS 1939-10-19

https://www.cnrs.fr/ https://ror.org/02f81g417 King Saud University [Riyadh] KSU

King Saud University, Riyadh 12372

http://ksu.edu.sa/en/