Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SHPF: Enhancing HTTP(S) Session 
Security with Browser Fingerprinting 
Thomas Unger, Martin Mulazzani, Dominik Fruhwirt 
...
Outline 
This talk is about: 
I Novel browser
ngerprinting methods 
I CSS3 
I HTML5 
I SHPF, the Session Hijacking Prevention Framework 
I Browser
ngerprinting to enhance session security 
I Additional crypto layer 
I Open source!
Problem Description 
Session hijacking is a problem! 
I HTTPS not yet widespread 
I HTTPS has its own problems: 
I RC4, CR...
SHPF Framework 
Our framework: 
I Allows server-side session veri
cation 
I Core method: browser
ngerprinting 
I Employs active  passive checkers during a session 
I Works with  without HTTPS 
OWASP Top 10 2013: 
I A2 B...
SHPF Framework 
Our framework: 
I Allows server-side session veri
cation 
I Core method: browser
ngerprinting 
I Employs active  passive checkers during a session 
I Works with  without HTTPS 
OWASP Top 10 2013: 
I A2 B...
Motivation 
Initial observation: 
I Regular sessions follow certain (implicit) rules 
I e.g., session cookie cannot be use...
Motivation 
Initial observation: 
I Regular sessions follow certain (implicit) rules 
I e.g., session cookie cannot be use...
Browser Fingerprinting 
Like nmap, but for browsers: 
I Browsers are very complex systems 
I Multiple man-years of develop...
Browser Fingerprinting 
Related work: 
I EFF's Panopticlick by Eckersley et al. (PETS 2010) [2] 
I UserAgent uniqueness by...
CSS3 Fingerprinting 
I CSS3 as standard not yet
nalized 
I Vendor speci
c pre
xes for draft features 
I For
ngerprinting: 
I CSS properties 
I CSS selectors (new selectors for old properties) 
I CSS
lters (modify rendering)
CSS3 Fingerprinting 
Implementation in SHPF: 
I Manually identi
ed 23 usable CSS properties 
I For current browsers  CSS3 status 
I Test for presence in style objects using Javascript
HTML5 Fingerprinting 
HTML5 currently still under development: 
I We identi
ed 242 items suitable for
ngerprinting 
I 30 new HTML tags 
I Rest: new attributes and features for existing tags 
I Veri
ed using 60+ browser/operating system combinations
Example HTML5 Fingerprinting
SHPF Framework 
Highly con
gurable: 
I Can e.g., enforce JavaScript 
I Allow e.g., IP roaming, but strictly prevent browser change 
I Multiple securi...
gurable 
I Enforce tighter security for e.g., administrator accounts 
Implementation: 
I PHP5 
I Terminates session if a c...
SHPF Framework 
Highly con
Upcoming SlideShare
Loading in …5
×

SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting

982 views

Published on

Session hijacking has become a major problem in today’s Web services, especially with the availability of free off-the-shelf tools. As major websites like Facebook, Youtube and Yahoo still do not use HTTPS for all users by default, new methods are needed to protect the users’ sessions if session tokens are transmitted in the clear. In this paper we propose the use of browser fingerprinting for enhancing current state-of-the-art HTTP(S) session management. Monitoring a wide set of features of the user’s current browser makes session hijacking detectable at the server and raises the bar for attackers considerably. This paper furthermore identifies HTML5 and CSS features that can be used for browser fingerprinting and to identify or verify a browser without the need to rely on the UserAgent string. We implemented our approach in a framework that is highly configurable and can be added to existing Web applications and server-side session management with ease.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting

  1. 1. SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting Thomas Unger, Martin Mulazzani, Dominik Fruhwirt Markus Huber, Sebastian Schrittwieser, Edgar Weippl SBA Research & FH Campus Wien, Austria
  2. 2. Outline This talk is about: I Novel browser
  3. 3. ngerprinting methods I CSS3 I HTML5 I SHPF, the Session Hijacking Prevention Framework I Browser
  4. 4. ngerprinting to enhance session security I Additional crypto layer I Open source!
  5. 5. Problem Description Session hijacking is a problem! I HTTPS not yet widespread I HTTPS has its own problems: I RC4, CRIME, BEAST, Lucky13, ... I Diginotar, Comodo, ... I Free tools available: I Firesheep, FaceNi, FITM, ...
  6. 6. SHPF Framework Our framework: I Allows server-side session veri
  7. 7. cation I Core method: browser
  8. 8. ngerprinting I Employs active passive checkers during a session I Works with without HTTPS OWASP Top 10 2013: I A2 Broken Authentication and Session Management I A3 Cross-Site Scripting (XSS) I A6 Sensitive Data Exposure
  9. 9. SHPF Framework Our framework: I Allows server-side session veri
  10. 10. cation I Core method: browser
  11. 11. ngerprinting I Employs active passive checkers during a session I Works with without HTTPS OWASP Top 10 2013: I A2 Broken Authentication and Session Management I A3 Cross-Site Scripting (XSS) I A6 Sensitive Data Exposure
  12. 12. Motivation Initial observation: I Regular sessions follow certain (implicit) rules I e.g., session cookie cannot be used with ... I dierent browsers! I dierent operating systems! I from multiple countries / IPs! Current logging insucient: I UserAgent is not enough! I IP is not enough!
  13. 13. Motivation Initial observation: I Regular sessions follow certain (implicit) rules I e.g., session cookie cannot be used with ... I dierent browsers! I dierent operating systems! I from multiple countries / IPs! Current logging insucient: I UserAgent is not enough! I IP is not enough!
  14. 14. Browser Fingerprinting Like nmap, but for browsers: I Browsers are very complex systems I Multiple man-years of development I Incorporate many dierent standards: I HTML, Javascript, CSS, ... I Implementations vary regarding compliance and completeness
  15. 15. Browser Fingerprinting Related work: I EFF's Panopticlick by Eckersley et al. (PETS 2010) [2] I UserAgent uniqueness by Yen et al. (NDSS 2012) [5] I Rendering engine by Mowery et al. (W2SP 2012) [3] I Javascript engine by Mulazzani et al. (W2SP 2013) [4]
  16. 16. CSS3 Fingerprinting I CSS3 as standard not yet
  17. 17. nalized I Vendor speci
  18. 18. c pre
  19. 19. xes for draft features I For
  20. 20. ngerprinting: I CSS properties I CSS selectors (new selectors for old properties) I CSS
  21. 21. lters (modify rendering)
  22. 22. CSS3 Fingerprinting Implementation in SHPF: I Manually identi
  23. 23. ed 23 usable CSS properties I For current browsers CSS3 status I Test for presence in style objects using Javascript
  24. 24. HTML5 Fingerprinting HTML5 currently still under development: I We identi
  25. 25. ed 242 items suitable for
  26. 26. ngerprinting I 30 new HTML tags I Rest: new attributes and features for existing tags I Veri
  27. 27. ed using 60+ browser/operating system combinations
  28. 28. Example HTML5 Fingerprinting
  29. 29. SHPF Framework Highly con
  30. 30. gurable: I Can e.g., enforce JavaScript I Allow e.g., IP roaming, but strictly prevent browser change I Multiple security levels con
  31. 31. gurable I Enforce tighter security for e.g., administrator accounts Implementation: I PHP5 I Terminates session if a checker fails I Just a few lines to add to existing websites
  32. 32. SHPF Framework Highly con
  33. 33. gurable: I Can e.g., enforce JavaScript I Allow e.g., IP roaming, but strictly prevent browser change I Multiple security levels con
  34. 34. gurable I Enforce tighter security for e.g., administrator accounts Implementation: I PHP5 I Terminates session if a checker fails I Just a few lines to add to existing websites
  35. 35. SHPF Framework Baseline monitoring: I IP I UserAgent I Browser version I HTTP header ordering Advanced features: I CSS
  36. 36. ngerprinting I Additional encryption layer: I based on SessionLock by Ben Adida [1] I shared secret using DH key exchange
  37. 37. SHPF Framework Baseline monitoring: I IP I UserAgent I Browser version I HTTP header ordering Advanced features: I CSS
  38. 38. ngerprinting I Additional encryption layer: I based on SessionLock by Ben Adida [1] I shared secret using DH key exchange
  39. 39. Example
  40. 40. Example
  41. 41. Example
  42. 42. Example
  43. 43. Example
  44. 44. Example How SHPF protects: 1. Local network attacks: shared secret browser
  45. 45. ngerprinting 2. XSS: browser
  46. 46. ngerprinting 3. On client: (browser
  47. 47. ngerprinting) 4. Accidental leakage: shared secret browser
  48. 48. ngerprinting
  49. 49. Performance evaluation Performance: I Overhead expected to be just a few percent I Approx. 100 kb for bandwidth, biggest part for libraries I Few kb in server RAM per session I Server: most checks are simple database lookups I DH prime generation takes time, esp. mobile!
  50. 50. Conclusion Future work: I Add
  51. 51. ngerprinting methods from related work I Large-scale entropy evaluation of
  52. 52. ngerprinting features Conclusion: I SHPF can make attacks on user sessions more dicult I First to use
  53. 53. ngerprinting advantageous for security I Source code available under GPL
  54. 54. Conclusion Future work: I Add
  55. 55. ngerprinting methods from related work I Large-scale entropy evaluation of
  56. 56. ngerprinting features Conclusion: I SHPF can make attacks on user sessions more dicult I First to use
  57. 57. ngerprinting advantageous for security I Source code available under GPL
  58. 58. Thank you for your time! Questions? fEmail: mmulazzani@sba-research.orgjTwitter: @Fr333kg Get the source: https://github.com/mmulazzani/SHPF
  59. 59. SHPF Example
  60. 60. Limitations I DH vulnerable to MITM (currently relies on HTTPS) I Attacker may use same browser OS to thwart
  61. 61. ngerprinting I No defense against social engineering or if attacker has code execution However, not security by obscurity!
  62. 62. B. Adida. Sessionlock: Securing web sessions against eavesdropping. In Proceeding of the 17th International Conference on World Wide Web (WWW), pages 517{524. ACM, 2008. P. Eckersley. How unique is your web browser? In Proceedings of Privacy Enhancing Technologies (PETS), pages 1{18. Springer, 2010. K. Mowery and H. Shacham. Pixel perfect: Fingerprinting canvas in html5. In Proceedings of Web 2.0 Security Privacy Workshop (W2SP), 2012. M. Mulazzani, P. Reschl, M. Huber, M. Leithner, S. Schrittwieser, and E. Weippl. Fast and reliable browser identi
  63. 63. cation with javascript engine
  64. 64. ngerprinting. In Web 2.0 Workshop on Security and Privacy (W2SP), 5 2013.
  65. 65. T.F. Yen, Y. Xie, F. Yu, R.P. Yu, and M. Abadi. Host
  66. 66. ngerprinting and tracking on the web: Privacy and security implications. In Proceedings of the 19th Annual Network Distributed System Security Symposium. NDSS, 2012.
  67. 67. Motivation

×