Session Fixation ID ID ID ID WhiteHat Security 1) 12% Session Fixation MBSD 2) Session Fixation Session Fixation ID ID ID ID ID Session Fixation ID ID

Similar documents
29 jjencode JavaScript

第2回_416.ppt

WebRTC P2P Web Proxy P2P Web Proxy WebRTC WebRTC Web, HTTP, WebRTC, P2P i

25 About what prevent spoofing of misusing a session information

B HNS 7)8) HNS ( ( ) 7)8) (SOA) HNS HNS 4) HNS ( ) ( ) 1 TV power, channel, volume power true( ON) false( OFF) boolean channel volume int

IPSJ SIG Technical Report Vol.2014-EIP-63 No /2/21 1,a) Wi-Fi Probe Request MAC MAC Probe Request MAC A dynamic ads control based on tra

Computer Security Symposium October 2013 Android OS kub

IT,, i

IPSJ SIG Technical Report Vol.2009-HCI-134 No /7/17 1. RDB Wiki Wiki RDB SQL Wiki Wiki RDB Wiki RDB Wiki A Wiki System Enhanced by Visibl

3_23.dvi

1 Fig. 1 Extraction of motion,.,,, 4,,, 3., 1, 2. 2.,. CHLAC,. 2.1,. (256 ).,., CHLAC. CHLAC, HLAC. 2.3 (HLAC ) r,.,. HLAC. N. 2 HLAC Fig. 2

IPSJ SIG Technical Report PIN(Personal Identification Number) An Examination of Icon-based User Authentication Method for Mobile Terminals Fum

Web Basic Web SAS-2 Web SAS-2 i

IPSJ SIG Technical Report Vol.2011-EC-19 No /3/ ,.,., Peg-Scope Viewer,,.,,,,. Utilization of Watching Logs for Support of Multi-

IPSJ SIG Technical Report Vol.2009-DBS-149 No /11/ Bow-tie SCC Inter Keyword Navigation based on Degree-constrained Co-Occurrence Graph

IPSJ SIG Technical Report Vol.2010-GN-74 No /1/ , 3 Disaster Training Supporting System Based on Electronic Triage HIROAKI KOJIMA, 1 KU

Copyright 2006 Mitsui Bussan Secure Directions, Inc. All Rights Reserved. 3 Copyright 2006 Mitsui Bussan Secure Directions, Inc. All Rights Reserved.

DEIM Forum 2009 C8-4 QA NTT QA QA QA 2 QA Abstract Questions Recomme

IPSJ SIG Technical Report Secret Tap Secret Tap Secret Flick 1 An Examination of Icon-based User Authentication Method Using Flick Input for

1 Web Web 1,,,, Web, Web : - i -

HP cafe HP of A A B of C C Map on N th Floor coupon A cafe coupon B Poster A Poster A Poster B Poster B Case 1 Show HP of each company on a user scree

Vol. 42 No. SIG 8(TOD 10) July HTML 100 Development of Authoring and Delivery System for Synchronized Contents and Experiment on High Spe

Q [4] 2. [3] [5] ϵ- Q Q CO CO [4] Q Q [1] i = X ln n i + C (1) n i i n n i i i n i = n X i i C exploration exploitation [4] Q Q Q ϵ 1 ϵ 3. [3] [5] [4]

i

Vol.55 No (Jan. 2014) saccess 6 saccess 7 saccess 2. [3] p.33 * B (A) (B) (C) (D) (E) (F) *1 [3], [4] Web PDF a m

DPA,, ShareLog 3) 4) 2.2 Strino Strino STRain-based user Interface with tacticle of elastic Natural ObjectsStrino 1 Strino ) PC Log-Log (2007 6)

(a) 1 (b) 3. Gilbert Pernicka[2] Treibitz Schechner[3] Narasimhan [4] Kim [5] Nayar [6] [7][8][9] 2. X X X [10] [11] L L t L s L = L t + L s

1: ( 1) 3 : 1 2 4

Web Web Web Web 1 1,,,,,, Web, Web - i -

1 1 CodeDrummer CodeMusician CodeDrummer Fig. 1 Overview of proposal system c

IPSJ SIG Technical Report Vol.2013-CE-122 No.16 Vol.2013-CLE-11 No /12/14 Android 1,a) 1 1 GPS LAN 2 LAN Android,,, Android, HTML5 LAN 1. ICT(I

shio_ PDF

Web Web Web Web Web, i

Windows7 OS Focus Follows Click, FFC FFC focus follows mouse, FFM Windows Macintosh FFC n n n n ms n n 4.2 2

SQL Web Web SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL SQL i

1 Web [2] Web [3] [4] [5], [6] [7] [8] S.W. [9] 3. MeetingShelf Web MeetingShelf MeetingShelf (1) (2) (3) (4) (5) Web MeetingShelf


IPSJ SIG Technical Report Vol.2014-HCI-157 No.26 Vol.2014-GN-91 No.26 Vol.2014-EC-31 No /3/15 1,a) 2 3 Web (SERP) ( ) Web (VP) SERP VP VP SERP

21 e-learning Development of Real-time Learner Detection System for e-learning

17 Proposal of an Algorithm of Image Extraction and Research on Improvement of a Man-machine Interface of Food Intake Measuring System

揃 Lag [hour] Lag [day] 35

( )

IPSJ SIG Technical Report Vol.2016-CE-137 No /12/ e β /α α β β / α A judgment method of difficulty of task for a learner using simple

大学における原価計算教育の現状と課題

IP ( ) IP ( ) IP DNS Web Web DNS Web DNS DNS 利用者 1 利用者 2 東京都調布市の天気情報を応答 東京都調布市の天気を問い合わせ 北海道旭川市の天気を問い合わせ 北海道旭川市の天気情報を応答 Fig. 1 1 DNS サーバ 東京都調布市の天気情報 We

1 7.35% 74.0% linefeed point c 200 Information Processing Society of Japan

(3.6 ) (4.6 ) 2. [3], [6], [12] [7] [2], [5], [11] [14] [9] [8] [10] (1) Voodoo 3 : 3 Voodoo[1] 3 ( 3D ) (2) : Voodoo 3D (3) : 3D (Welc

258 5) GPS 1 GPS 6) GPS DP 7) 8) 10) GPS GPS ) GPS Global Positioning System

Web Web Web Web i

Fig. 2 Signal plane divided into cell of DWT Fig. 1 Schematic diagram for the monitoring system

ディスプレイと携帯端末間の通信を実現する映像媒介通信技術

, : GUI Web Java 2.1 GUI GUI GUI 2 y = x y = x y = x

Microsoft Word - toyoshima-deim2011.doc

IPSJ SIG Technical Report Vol.2018-SE-200 No /12/ Proposal of test description support environment for request acquisition in web appli

1_26.dvi

ID 3) 9 4) 5) ID 2 ID 2 ID 2 Bluetooth ID 2 SRCid1 DSTid2 2 id1 id2 ID SRC DST SRC 2 2 ID 2 2 QR 6) 8) 6) QR QR QR QR

10_細川直史.indd

IPSJ SIG Technical Report Vol.2014-CG-155 No /6/28 1,a) 1,2,3 1 3,4 CG An Interpolation Method of Different Flow Fields using Polar Inter

28 Docker Design and Implementation of Program Evaluation System Using Docker Virtualized Environment

IPSJ SIG Technical Report Vol.2012-IS-119 No /3/ Web A Multi-story e-picture Book with the Degree-of-interest Extraction Function

DEIM Forum 2009 E

(a) (b) 1 JavaScript Web Web Web CGI Web Web JavaScript Web mixi facebook SNS Web URL ID Web 1 JavaScript Web 1(a) 1(b) JavaScript & Web Web Web Webji

TF-IDF TDF-IDF TDF-IDF Extracting Impression of Sightseeing Spots from Blogs for Supporting Selection of Spots to Visit in Travel Sat

ActionScript Flash Player 8 ActionScript3.0 ActionScript Flash Video ActionScript.swf swf FlashPlayer AVM(Actionscript Virtual Machine) Windows

2 ( ) i

soturon.dvi

IPSJ SIG Technical Report Vol.2011-DBS-153 No /11/3 Wikipedia Wikipedia Wikipedia Extracting Difference Information from Multilingual Wiki

1 Table 1: Identification by color of voxel Voxel Mode of expression Nothing Other 1 Orange 2 Blue 3 Yellow 4 SSL Humanoid SSL-Vision 3 3 [, 21] 8 325

THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS TECHNICAL REPORT OF IEICE.

Web Web ID Web 16 Web Web i

WebRTC P2P,. Web,. WebRTC. WebRTC, P2P, i

1 UD Fig. 1 Concept of UD tourist information system. 1 ()KDDI UD 7) ) UD c 2010 Information Processing S

"CAS を利用した Single Sign On 環境の構築"

Vol. 48 No. 4 Apr LAN TCP/IP LAN TCP/IP 1 PC TCP/IP 1 PC User-mode Linux 12 Development of a System to Visualize Computer Network Behavior for L

3D UbiCode (Ubiquitous+Code) RFID ResBe (Remote entertainment space Behavior evaluation) 2 UbiCode Fig. 2 UbiCode 2. UbiCode 2. 1 UbiCode UbiCode 2. 2

1 1 tf-idf tf-idf i

1: A/B/C/D Fig. 1 Modeling Based on Difference in Agitation Method artisoc[7] A D 2017 Information Processing

自然言語処理16_2_45

No.7, (2006) 2 Electronic Funds Transfer as the Foundation of the Monetary Value of Electronic Money - A Study on the JBA 1 Integrated Circuit

IPSJ SIG Technical Report Vol.2011-CE-110 No /7/9 Bebras 1, 6 1, 2 3 4, 6 5, 6 Bebras 2010 Bebras Reporting Trial of Bebras Contest for K12 stud

1., 1 COOKPAD 2, Web.,,,,,,.,, [1]., 5.,, [2].,,.,.,, 5, [3].,,,.,, [4], 33,.,,.,,.. 2.,, 3.., 4., 5., ,. 1.,,., 2.,. 1,,

untitled

. IDE JIVE[1][] Eclipse Java ( 1) Java Platform Debugger Architecture [5] 3. Eclipse GUI JIVE 3.1 Eclipse ( ) 1 JIVE Java [3] IDE c 016 Information Pr

Input image Initialize variables Loop for period of oscillation Update height map Make shade image Change property of image Output image Change time L

2. Twitter Twitter 2.1 Twitter Twitter( ) Twitter Twitter ( 1 ) RT ReTweet RT ReTweet RT ( 2 ) URL Twitter Twitter 140 URL URL URL 140 URL URL

1,a) 1,b) TUBSTAP TUBSTAP Offering New Benchmark Maps for Turn Based Strategy Game Tomihiro Kimura 1,a) Kokolo Ikeda 1,b) Abstract: Tsume-shogi and Ts

WikiWeb Wiki Web Wiki 2. Wiki 1 STAR WARS [3] Wiki Wiki Wiki 2 3 Wiki 5W1H Wiki Web 2.2 5W1H 5W1H 5W1H 5W1H 5W1H 5W1H 5W1H 2.3 Wiki 2015 Informa

FileMaker Server Getting Started Guide

IPSJ SIG Technical Report Vol.2015-MUS-106 No.10 Vol.2015-EC-35 No /3/2 BGM 1,4,a) ,4 BGM. BGM. BGM BGM. BGM. BGM. BGM. 1.,. YouTube 201

パナソニック技報

DEIM Forum 2012 E Web Extracting Modification of Objec

Mimehand II[1] [2] 1 Suzuki [3] [3] [4] (1) (2) 1 [5] (3) 50 (4) 指文字, 3% (25 個 ) 漢字手話 + 指文字, 10% (80 個 ) 漢字手話, 43% (357 個 ) 地名 漢字手話 + 指文字, 21

149 (Newell [5]) Newell [5], [1], [1], [11] Li,Ryu, and Song [2], [11] Li,Ryu, and Song [2], [1] 1) 2) ( ) ( ) 3) T : 2 a : 3 a 1 :

28 Horizontal angle correction using straight line detection in an equirectangular image

IPSJ SIG Technical Report Vol.2010-NL-199 No /11/ treebank ( ) KWIC /MeCab / Morphological and Dependency Structure Annotated Corp


: Name, Tel name tel (! ) name : Name! Tel tel ( % ) 3. HTML. : Name % Tel name tel 2. 2,., [ ]!, [ ]!, [ ]!,. [! [, ]! ]!,,. ( [ ], ),. : [Name], nam

論文9.indd


The copyright of this material is retained by the Information Processing Society of Japan (IPSJ). The material has been made available on the website

Transcription:

Session ID Session Fixation 1 1 1, 2 Session Fixation Session Fixation ID Session Fixation ID ID ID ID Session Fixation Session Fixation Detection of Session Fixation Vulnerabilities with Session ID Monitoring Masataka Utsumi, 1 Yuji Kosuga 1 and Kenji Kono 1, 2 In recent years, session fixation has become one of the most critical security flaws in web applications. Session fixation is an attack technique that forces a visitor of a web application to use a session identifier (SID) that the attacker prepared. After the visitor s login, the attacker can masquerade as the visitor by accessing the web application with the SID. It is well-known, effective technique for preventing session fixation to assign a new SID each time user logs in. However, many web applications in the real world do not properly accomplish the prevention technique. In this paper, we propose a technique to detect session fixation vulnerabilities in web applications by monitoring the change of SIDs before and after a user s login. Since our technique performs the checks web applications without requiring source code of the applications, it is useful for check legacy web applications already running. In the experiment, our system successfully detected vulnerabilities in our original test cases and in a real world web application. 1. ID ID Session Fixation Cross-Site Request Forgery CSRF Session Hijack Session Fixation Session Fixation ID Session Fixation ID ID ID ID 1 Keio University 2 JST CREST 1 c 2010 Information Processing Society of Japan

Session Fixation ID ID ID ID WhiteHat Security 1) 12% Session Fixation MBSD 2) Session Fixation Session Fixation ID ID ID ID ID Session Fixation ID ID ID ID ID ID Session Fixation 2 3 Session Fixation 4 5 6 7 2. 2.1 Session Fixation acros 3) MBSD 2) BASS 4) BASS BASS BASS Session Fixation 1 Cross-Site Request Forgery CSRF CSRF Referere URL NoForge 5) NoForge ID CSRF Referere Origin 6) Origin Origin 2 c 2010 Information Processing Society of Japan

K Google Chrome 4 7) CSRF Session Fixation 2.2 Session Fixation SecuBat 8) WAVES 9) SQL SQL HTML JavaScript SecuBat WAVES 3. Session Fixation 3.1 Session Fixation Session Fixation 1 ID H@I.J LM(N I O / 0 # $ % < $ $ %% = A B,, C 4 576 - "!.9 8 ;: "!# >@? &(' )+* DEGF 1.- / 0 132 Session Fixation Session Fixation 1 ID 1 2 ID Session Fixation ID 3 Session Fixation ID ID ID ID ID 4 ID ID 5 ID ID 3.2 Session Fixation Session Fixation ID ID "! 3 c 2010 Information Processing Society of Japan

3.1 Session Fixation ID ID ID ID Session Fixation 3.3 WhiteHat Security 1) 12% Session Fixation MBSD 2) Session Fixation Session Fixation 4. 4.1 Session Fixation 4.2 ID ID Session Fixation Session Fixation ID ID ID Session Fixation MONQPR P&S$M MYNQPR TUVXW #% "!$#&% ' (*) "!$#&% ' (*) ID +, -. / 0 1 2 3 45 6 7 6 8 9 :; < = >? @BADC E FHG I J K L 2 P&S$M TUVXW #% ID ID ID 2 ID 2 4.3 4.4 4.3 ID 2 3 HTML ID 4 c 2010 Information Processing Society of Japan

R " 5TSTUOV:W @B> 687:9<;X >G*O/+0 "!$#"% & ')("* + &,+-."/+01"!$#"% 3 4.4 ID ID URL ID ID ID ID ID 4.4.1 URL URL URL after_login.php?sid=abcdef URL? URL ID? = 4.4.2 Cookie Cookie: sid=abcdef ID Cookie ID Cookie URL = 4.4.3 ID ID ID ID ID &, -. "IJ -P/+0Q(+LM6N7:9N;= >G*O/+0 + &,+-.I"J -K/+08(+LM6N7:9N;= >G*O/+0 #% 2 3 4 5687:9<;= >1?1@BADC EGFH@ 4 ID ID ID ID ID ID ID Session Fixation ID Session Fixation ID 5 c 2010 Information Processing Society of Japan

I! #"%$ && 8 9%: C : D : 8 9%: A/B C : D : A/B 8 9%: ')(+*-,/. 021 3 4/576 C : D : 1 ID ID ID 1 URL 2 URL 3 4 5 URL 6 EFHG J K=L!M & ;=< >@? 5 4.4 ID 4.3 ID ID 5 6. ID ID / / ID 4 ID ID / ID 5. ID Java 6.1 phpbb Session Fixation firefox 3.5.7 3 / ID 1 / ID 6.2 6.2.1 1 ID ID 1 1 4 6 c 2010 Information Processing Society of Japan

2 1 2 3 4 5 6 ID ID 5 6 1 4 ID ID Apache 2.2.13 Unix MySQL 5.1.39 6.2.2 1 2 ID ID ID 1 4 5 6 6.3 6.3.1 phpbb phpbb SourceForge 10) 410,449 phpbb NoForge 5) CSRF Session Fixation Apache 2.0.63 Unix MySQL 5.1.37 phpbb SourceForge 10) phpbb 2.0.12 6.3.2 phpbb Session Fixation 6 6 CookieAnalyze beforeset phpbb2mysql data phpbb2mysql sid PHPSESSID 3 CookieAnalyze afterset phpbb URLRewritingAnalyze beforeset logout sid URLRewritingAnalyze beforeset 2 3 phpbb2mysql sid ID phpbb2mysql sid phpbb Session Fixation ID phpbb2mysql sid Session Fixation phpbb2mysql sid phpbb2mysql sid phpbb2mysql sid phpbb 3.0.6 Session Fixation 7. Session Fixation 7 c 2010 Information Processing Society of Japan

情報処理学会研究報告 不十分なまま稼働しているウェブアプリケーションに脆弱性があることを開発者に通知する ことを目的とし すべてを手動で行うよりも容易に脆弱性を検出することが可能となる 提 案手法はログイン前のリクエストとログイン後のリクエストからセッション ID を取得し 両者を比較することで対策が施されているかを検査する 実験では 実際に運用されている / 021 3 4 ウェブアプリケーションに Session Fixation に対する脆弱性が存在することを示した 今後の課題として さらに多くのウェブアプリケーションに提案手法を検査できるように ログインページの判別やセッション ID の抽出精度の向上を行うことが挙げられる また 現段階ではページの遷移やユーザ名 パスワードの入力は手動で行っているため 検査をよ り容易に行えるようにするために検査の自動化を行いたいと考えている 参 3 4 V 3 4HW 2 X 文 献 1) WhiteHat Security, Inc.: Website Security Statics Report 8th Edition Fall 2009, http://www.whitehatsec.com/home/resource/stats.html. 2) Mitsui Bussan Secure Directions (MBSD), Inc. : 2008 年度 Web アプリケーショ ン脆弱性検査レポート http://www.mbsd.jp/news/pressrelease img/20090717/ websec2008report.pdf. 3) acros: Session Fixation Vulnerability in Web-based Applications, http://www. acrossecurity.com/papers/session fixation.pdf. 4) Yu, D., Chander, A., Inamura, H. and Serikov, I.: Better abstractions for secure server-side scripting, WWW 08: Proceeding of the 17th international conference on World Wide Web, pp.507 516 (2008). 5) Jovanovic, N., Kirda, E. and Kruegel, C.: Preventing Cross Site Request Forgery Attacks, Securecomm 06: Second International Conference on Security and Privacy in Communication Networks, pp.1 10 (2006). 6) Barth, A., Jackson, C. and Mitchell, J. C.: Robust Defenses for Cross-Site Request Forgery, CCS 08: Proceedings of the 15th ACM conference on Computer and Communications Security, pp.75 88 (2008). 7) Google, Inc.: Google Chrome, http://www.google.com/chrome. 8) Kals, S., Kirda, E., Kruegel, C. and Jovanovic, N.: SecuBat: a web vulnerability scanner, WWW 06: Proceedings of the 15th international conference on World Wide Web, pp.247 256 (2006). 9) Huang, Y.-W., Huang, S.-K., Lin, T.-P. and Tsai, C.-H.: Web application security assessment by fault injection and behavior monitoring, WWW 03: Proceedings of the 12th international conference on World Wide Web, pp.148 159 (2003). 10) SourceForge, Inc.: phpbb, http://sourceforge.net/projects/phpbb/. OQPSR>T F =U J N 5 687 *:9 ; <>=? @2A B 5 CED F *HG I =? J < K L =? M N 考 W #%$'( 0 Y "! #%$'&)(+*-,. 図 6 phpbb における検査結果 8 c 2010 Information Processing Society of Japan

2024 © docsplayer.net プライバシー | 利用規約 | フィードバック