ERef Bayreuth

Anmelden

Literatur vom gleichen Autor/der gleichen Autor*in

bei Google Scholar

Bibliografische Daten exportieren

Honey, I Cached our Security Tokens : Re-usage of Security Tokens in the Wild

Titelangaben

Trampert, Leon ; Stock, Ben ; Roth, Sebastian:
Honey, I Cached our Security Tokens : Re-usage of Security Tokens in the Wild.
2023
Veranstaltung: 26th International Symposium on Research in Attacks, Intrusions and Defenses (RAID) , 16.-18.10.2023 , Hongkong.
(Veranstaltungsbeitrag: Kongress/Konferenz/Symposium/Tagung , Paper )
DOI: https://doi.org/10.1145/3607199.3607223

Abstract

In order to mitigate the effect of Web attacks, modern browsers support a plethora of different security mechanisms. Mechanisms such as anti-Cross-Site Request Forgery (CSRF) tokens or nonces in a Content Security Policy rely on a random number that must only be used once. Notably, those Web security mechanisms are shipped through HTML tags or HTTP response headers from the server to the client side. To decrease the server load and the traffic burdened on the server infrastructure, many Web applications are served via a Content Delivery Network (CDN), which caches certain responses from the server to deliver them to multiple clients. This, however, affects not only the content but also the settings of the security mechanisms deployed via HTML meta tags or HTTP headers. If those are also cached, their content is fixed, and the security tokens are no longer random for each request. Even if the responses are not cached, operators may re-use tokens, as generating random numbers that are unique for each request introduces additional complexity for preserving the state on the server side. This work sheds light on the re-usage of security tokens in the wild, investigates what caused the static tokens, and elaborates on the security impact of the non-random security tokens.

Weitere Angaben

Publikationsform:	Veranstaltungsbeitrag (Paper)
Begutachteter Beitrag:	Ja
Institutionen der Universität:	Fakultäten > Fakultät für Mathematik, Physik und Informatik Fakultäten > Fakultät für Mathematik, Physik und Informatik > Institut für Informatik
Titel an der UBT entstanden:	Nein
Themengebiete aus DDC:	000 Informatik,Informationswissenschaft, allgemeine Werke 000 Informatik,Informationswissenschaft, allgemeine Werke > 004 Informatik
Eingestellt am:	20 Jan 2025 08:12
Letzte Änderung:	20 Jan 2025 08:36
URI:	https://eref.uni-bayreuth.de/id/eprint/91462