- Open Access
- Total Downloads : 5
- Authors : Sachin, Yashpal
- Paper ID : IJERTCONV3IS10034
- Volume & Issue : NCETEMS – 2015 (Volume 3 – Issue 10)
- Published (First Online): 24-04-2018
- ISSN (Online) : 2278-0181
- Publisher Name : IJERT
- License: This work is licensed under a Creative Commons Attribution 4.0 International License
1, 2 Department of Computer Science &Engineering, Ganga Institute of Technology and Management, Kablana, Jhajjar, Haryana, India
Abstract Cross Site Scripting (XSS) makes victims execute an arbitrary script and leaks out personal information from victims computers. An adversary can easily get victims cookies by the XSS attack. If the adversary cannot use the stolen cookies to impersonate the victim, stealing cookie has no meaning. Therefore, we propose a method to prohibit the abuse of stolen cookies in order to make it ineffective to steal cookies through the XXS attack. The proposed method uses onetime password and challenge-response authentication to identify whether a person is a valid owner of the cookie.
Keywords:- Cookies, Cross Site Scripting, HTTP, Web Application
Today the Internet is widely used all over the world. More the Internet is used, more the security of computer is demanded. Especially protecting personal information is one of major concerns because of the advent of various kinds of Internet services such as SNS and online shopping. Such various kinds of services often use a function called cookie.
Cookie is a small piece of data sent from a website and stored in a users web browser while a user is browsing the website ,. browsing It can be read out by web server whenever needed. Cookie provides websites with a reliable mechanism for remembering their state and users activities. Cross Site Scripting (XSS) is a typical web application vulnerability and an attacker of XSS can steal cookies by setting up the execution of malicious scripts after crossing several websites. This attack finally enables the adversary to do illegal access or session hijack. Nowadays, XSS dominates the largest percentage of all web application vulnerabilities . Unfortunately, there is no effective way to prevent it , . A secure cookie system and a method to prevent XSS attack are highly demanded.
comparison with previous methods in section V. Conclusion is given in section VI.
Session Management of HTTP
Hyper Text Transfer Protocol (HTTP) is a protocol which is constructed for exchanging data between a web browser and a web server at World Wide Web (WWW). HTTP is a request-response type protocol such that a client, web browser, sends a server a HTTP request containing URL and method, and receives a HTTP response. The set of request and response is called session. When the session is completed, connection between the client and the server is disconnected. The connection is stateless. That is, the erver treats each request as an independent connection: The server does not hold the information of the previous client and cannot reflect the state of the previous session. This kind of stateless protocol is not suitable for online operations such as online shopping. In order to solve this problem, there is an idea of session management which provides statefull protocol that is able to hold the state of the connection. Session management means that the server recognizes the session with the clients and grasps the progress of processing. If session starts, messages between the server and the client share the same session ID. They recognize each other by checking the session ID .
The technology which enables the session management over the HTTP protocol is called cookie. Cookie is widely used for storing the session ID and personal information handled in web applications. It is a small size of data stored in a text file of the users computer and exchanged between the server and the client , . There are six parameters in the cookie called attribute.
Name of the cookie
Value of the cookie
Deadline of the cookie
Path of the server which the browser sends the cookie
Domain of the server where the browser sends the cookie
The demand for a secure connection between the browser and the server.
Cookie is given to a web browser from the server and is held at the browser until it expires. There are two types of cookies, a session cookie and a persistent cookie. The session cookie is used temporarily and discarded when the browser closes. The value of a session cookie is a random value and renewed every time a new session starts. On the other hand, a persistent cookie is stored in the browser for a definite period of time. Once a persistent cookie is given to the browser, it can be reused for any number of times, which improves the performance of web services.
Cross Site Scripting (XSS)
An attack of XSS  inserts a malicious script while a user is browsing web pages. If the attack succeeds, the adversary makes a victim to execute an arbitrary script which is sent from the server to the browser without any translation. The adversary does not attack a vulnerable server directly, but uses the vulnerability to lead a target user to a phishing page.
Fig 1. Procedures of XSS
The figure 1 shows the concept and procedures of XSS. An attacker follows the following procedures to launch the XSS attack.
An adversary prepares a web site (trap page) and puts a link to other web site which has vulnerability. The link contains a malicious script, that sends cookie to the adversary in step 6).
When a user comes to the trap page, he receives the HTTP response which contains malicious script. At this stage, the script has not been invoked.
When a user clicks the link, the malicious script is sent to the vulnerable server as a part of HTTP request.
The server returns the malicious script to the users browser without any process because of the vulnerability.
The browser executes the malicious script because the browser falsely regards the script is required not from the adversary but from the server.
Because of the execution of the malicious script, the browser sends cookie or personal information to the adversary.
If the vulnerable server exists, it enables the adversary to commits various kinds of attack by crossing a trap page
and embeds a malicious script. It means that after the success of the XSS attack the adversary can get personal information to impersonate a valid user or session hijack.
XSS vulnerability often exists in the web page which has a text field and operates dynamically according to the input character. Therefore web pages which deal with the personal information such as resister page or login page are more likely to have XSS vulnerability. The cause of XSS vulnerability is that a web browser executes all scripts received from any server. Of course a browser has option to prohibit the execution of all the scripts that the browser receives. However, it spoils the convenience of cookies. One of the reasons why XSS is still a majo issue is low level awareness of people who manage the web server. People who are not an expert of computing can make web pages easily today and get damage of XSS. Meanwhile, server administrators are less likely to take an active action against XSS because they do not get damage directly. Also, taking measures against XSS needs a lot of cost and XSS seems to be ignored in spite of its damages.
A fundamental method to invalidate a malicious script contained in the HTTP request is escaping special characters by using CGI script. In the method, servers regard a script in the HTTP request as a script embedded by an adversary. The CGI script replaces special characters such as & and < of the HTTP request with equivalent characters shch as & and <, respectively, before it is sent to the users browser as a HTTP response. A malicious script is never executed after escaping special characters. Unfortunately, there are still many sites which do not take this counter measure. From these reasons, XSS is still a major attack in computer networks that we must prevent.
Using Session Cookie
Cookie is stored at a browser until it expires. If we are able to remove the cookie before the adversary successfully steals it, the leakage of cookie never happens. The valid period of cookie can be determined by setting the deadline of cookie described in section II-B. In the session cookies, the period is set at the past time so that these cookies will be removed every time the session terminates. This method disables the adversary to abuse the stolen cookie, but it ruins the advantage of cookie which does not require the valid user to input his personal information every time he logs in to his account. Also it cannot prevent replay attack which reuse the password stored in the session cookie.
Dynamic Cookies Rewriting Technique
Rewriting the value of cookies is effective for precluding the adversary to use stolen cookies . When the server sends a cookie to the browser, a web proxy changes the values of the cookie into randomized values before stored in the browser. As the browsers database does not have the original values of the cookies, the adversary does not get the true values even if the XSS attack succeeds. The proxy has a table which stores the attributes of the cookie and randomized values. When a server requests the browser to
send a cookie, the randomized cookie is rewritten to the original value by the proxy and send to the server. A user can reuse the same cookie again. So the user can enjoy the benefit of the cookie. However there are two types of adversaries for which this method does not work; (1) If an adversary and valid users are in the same LAN and the adversary steals the randomized cookies, the adversary succeeds in impersonation by sending these cookies through the same proxy in the LAN. (2) When an adversary steals cookies after the proxy writes them back to the original values, these stolen cookies contain true values. This method is secure only if the adversary cannot use the same web proxy as a valid user uses. Concerning replay attack, both of adversaries described above can perform replay attack easily.
PREVENTING ABUSE OF STOLEN COOKIES
As explained in section II-C, direct anti-XSS methods such as escaping special characters is not secure enough. In this section, we discuss indirect anti-XSS methods. In our approach, we pay attention to decreasing the effect of stealing cookies by XSS. That is, an adversary cannot abuse stolen cookies even if they have leaked out. Stolen cookies are often used for session hijacking and prohibiting abuse of the stolen cookies allows us to prevent session hijacking. When someone accesses to a login page with a stolen cookie, the system regards him as a valid user and impersonation succeeds. From this point of view, distinguishing a regular user from an adversary possessing stolen cookies is effective for invalidating the XSS. In the next section, we propose a method for indirect anti- XSS using the challenge-response authentication.
Synchronize State Cookie Protocol
We propose a method that uses one-time password and challenge-response authentication. In our method, a server and a user have the same password which is renewed every fixed time. The user keeps the password in the persistent cookie and uses it when he needs to log in to his account. The password the user uses and the password the server keeps need to be synchronized at all times. There are various kinds of one-time password schemes . If a new password is generated by an algorithm using a secret value, the value should not be stored in any cookie.
We also use challenge-response authentication in our method. In response to an authentication request, the server sends a challenge value to the user. We use a PHP session ID as a challenge value. A user calculates the response value by hashing the concatenation of his password and the challenge value. Then the user sends the response value to the server, and the server checks whether the value matches with the value calculated by the server or not. When it matches, the user is able to access his account.
In this section, we discuss properties of the proposed method. There are some advantages in our method. Even if an adversary succeeds in stealing a password contained
Table I: COMPARISON OF THREE PROTECTIVE METHODS
Our Method Synchronized State Cookie
Cookie Abuse Prevention
Cookie Abuse Prevention
Possibility of No Error
: satisfied , Ã— : not satisfied ,
* : Not satisfied against adversaries described in section III-B
When a server has XSS vulnerability, an adversary can obtain users cookies. To minimize the influence of XSS indirectly, we introduced a method for preventing abuse of stolen cookies. It uses one-time password and challenge- response authentication to judge whether an accessing user is valid or not. With keeping usability, it can prevent the abuse of stolen cookies after their expiry and offers anti- replay attack property. We plan to implement our proposed method and evaluate its feasibility including latency
A part of this paper is supported by JSPS A3 Foresight Program.We would like to appreciate the support.
REFERENCES. Joon S. Park, Ravi Sandhu, Secure Cookies on the Web, 3rd ed. IEEE INTERNET COMPUTING, pp.36-44, JULY – AUGUST 2000. . Vorapranee Khu-smith, Chris Mitchell, Enhancing the Security of Cookies, ICICS 2001, LNCS 288, pp.132- 145, 2002. . JNV (Japan Vulnerability Notes) iPedia, CWE-79, Cross Site Scripting, http://jvndb.jvn.jp/ja/cwe/CWE-79.html. . IPA Security Center, Report on Vulnerability-related Information of Software, http://www.ipa.go.jp/files/000009160.pdf . D. Kristol, L. Montulli, HTTP State Management Mechanism, IETF Documents IETF Tools, http://tools.ietf.org/html/rfc2965. . Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone, Handbook of Applied Cryptography, CRC Press, ISBN: 0- 8493-8523-7, 1997.