SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting

M. Mulazzani, E. Weippl, S. Schrittwieser, T. Unger, M. Huber, D. Frühwirt:
"SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting";
Vortrag: Eighth International Conference on Availability, Reliability and Security (ARES), Regensburg; 02.09.2013 - 06.09.2013; in:"Proceedings of the Eighth International Conference on Availability, Reliability and Security (ARES)", 8 (2013), ISBN: 978-0-7695-5008-4.

[ Publication Database ]

Abstract:


Session hijacking has become a major problem
in today´sWeb services, especially with the availability of free
off-the-shelf tools. As major websites like Facebook, Youtube
and Yahoo still do not use HTTPS for all users by default,
new methods are needed to protect the users´ sessions if
session tokens are transmitted in the clear.
In this paper we propose the use of browser fingerprinting for
enhancing current state-of-the-art HTTP(S) session management.
Monitoring a wide set of features of the user´s current
browser makes session hijacking detectable at the server
and raises the bar for attackers considerably. This paper
furthermore identifies HTML5 and CSS features that can be
used for browser fingerprinting and to identify or verify a
browser without the need to rely on the UserAgent string. We
implemented our approach in a framework that is highly configurable
and can be added to existing Web applications and
server-side session management with ease. To enhance Web
session security, we use baseline monitoring of basic HTTP
primitives such as the IP address and UserAgent string, as
well as complex fingerprinting methods like CSS or HTML5
fingerprinting. Our framework can be used with HTTP and
HTTPS alike, with low configurational and computational
overhead. In addition to our contributions regarding browser
fingerprinting, we extended and implemented previous work
regarding session-based shared secrets between client and
server in our framework.