Abstract:
Cookie-based web authentication is the most widespread practice to maintain the user's web session. This mechanism is, inherently, subject to serious security threats: an attacker who acquires a copy of cookies containing authentication information may be able to impersonate the user and conduct a session on their behalf. Recently, browser-side defenses have proven to be an effective protection measure against these types of attacks. In existing approaches, all such defenses ultimately rely on empirical client-side heuristics to automatically detect authentication cookies to eventually protect them against theft or otherwise unintended use.
In this thesis, we build upon a conference paper published at WWW' 14 to overcome its limitations. Specifically: (1) the results of such a document are based on a gold set of only 327 cookies collected from 70 websites. In this work, we extend our analysis to a much larger dataset of approximately 2500 cookies gathered from 220 popular website according to the Alexa ranking. (2) we implement a faster and more accurate authentication token detection method for which our gold set is constructed, including full Javascript support. (3) we confirm a popular literature assumption according to which the number of authentication cookies registered by Javascript is negligible. (4) we formalize a novel measure of protection used to evaluate further effectiveness of previous heuristics from the literature, as well as our approach. (5) we adopt a different machine learning approach to deal with new challenges that, mainly, arise from a larger dimension of the dataset and from the distribution of its instances.
The results of our work, ultimately, provide a more in-depth sight of how web authentication is implemented in practice and what kind of security measures are adopted throughout the Web.
