CISPA
Browse

Honey, I Cached our Security Tokens Re-usage of Security Tokens in the Wild

Download (322.04 kB)
conference contribution
posted on 2024-04-05, 10:46 authored by Leon TrampertLeon Trampert, Ben StockBen Stock, Sebastian Roth
In order to mitigate the effect of Web attacks, modern browsers support a plethora of different security mechanisms. Mechanisms such as anti-Cross-Site Request Forgery (CSRF) tokens or nonces in a Content Security Policy rely on a random number that must only be used once. Notably, those Web security mechanisms are shipped through HTML tags or HTTP response headers from the server to the client side. To decrease the server load and the traffic burdened on the server infrastructure, many Web applications are served via a Content Delivery Network (CDN), which caches certain responses from the server to deliver them to multiple clients. This, however, affects not only the content but also the settings of the security mechanisms deployed via HTML meta tags or HTTP headers. If those are also cached, their content is fixed, and the security tokens are no longer random for each request. Even if the responses are not cached, operators may re-use tokens, as generating random numbers that are unique for each request introduces additional complexity for preserving the state on the server side. This work sheds light on the re-usage of security tokens in the wild, investigates what caused the static tokens, and elaborates on the security impact of the non-random security tokens.

History

Primary Research Area

  • Secure Connected and Mobile Systems

Name of Conference

International Symposium on Research in Attacks Intrusions and Defenses (RAID)

Journal

Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses

Page Range

714-726

Publisher

Association for Computing Machinery (ACM)

Open Access Type

  • Not Open Access

BibTeX

@conference{Trampert:Stock:Roth:2023, title = "Honey, I Cached our Security Tokens Re-usage of Security Tokens in the Wild", author = "Trampert, Leon" AND "Stock, Ben" AND "Roth, Sebastian", year = 2023, month = 10, journal = "Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses", pages = "714--726", publisher = "Association for Computing Machinery (ACM)", doi = "10.1145/3607199.3607223" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC