홈으로ArticlesAll Issue
ArticlesWeb Session Hijacking Defense Technique Using User Information
  • Woo Seob Hwang1, Jin Gon Shon1, and Ji Su Park2,*

Human-centric Computing and Information Sciences volume 12, Article number: 16 (2022)
Cite this article 1 Accesses
https://doi.org/10.22967/HCIS.2022.12.016

Abstract

With the development of computer networks, sensitive information of individuals and companies used in web applications is targeted by hackers. Web applications are particularly vulnerable and dangerous to web session hijacking attacks. There are various defenses against attack techniques including HTTPS, proxy servers, network attack detection, and session identifiers. However, these methods have drawbacks, such as high costs, lower detection rates according to environment settings, and theft of session identifiers. In this paper, we propose an authentication of transposition-encrypted user information (ATEUI) technique to strengthen security against web session hijacking attacks. This technique employs an authentication technique that uses user information to resolve the problems of existing defense techniques. Network transport data are also double-encrypted using a transposition cipher and an RSA for security. We conducted experiments involving hacking attacks to verify the security of the proposed technology. Consequently, it was confirmed that the ATEUI technology is more stable against hacking attacks than the existing defense technology.


Keywords

Web, Session, Hijacking, Defense, Authentication, User Information


Introduction

The development of computer networks has increased user accessibility and the use of web services [1]. Web services are important tools in education, finance, health, and online services. The data used in the web applications are personal or public sensitive information, including personal information, bank account information, health information, purchase information of online products, and personal information of customers in the company system [2]. Web service data are highly vulnerable to hacking attacks with regard to their importance. The targets of hacker’s attack are unsafe-sensitive data. Hacker attacks are very dangerous as they steal user data or falsify user authorization [3]. The attacks against web applications are divided into advanced persistent threats targeting servers and those targeting users. The security of attack targeting servers has been improved by continuous management [4]. On the other hand, the security of attacks targeting users has not been managed and is particularly vulnerable to session hijacking attacks. A session hijacking attack is a hacker intercepting a user’s authenticated session identifier and disguising as a normal user. This is very dangerous, and the damage worsens daily [2].
Session hijacking attacks can be divided into TCP connection hijacking [5] and web session hijacking. Web session hijacking is divided into session fixation and session hijacking attacks [3]. The session hijacking attacks are divided into network traffic sniffing, session ID guessing, and XSS attacks [2]. The classification of a web session hijacking attack is illustrated in Fig. 1. In this paper, we investigated the network traffic sniffing attack corresponding to the interception of the session identifier.

Fig. 1. Classification of session hijacking and research fields.


Existing techniques for defending against web session hijacking include the use of HTTPS [6, 7], which is a secure socket of the network [2], session identifier [2, 8, 9], proxy server [3, 1012], and detecting internal and external attacks on networks [13]. These techniques have the following drawbacks: The technique of using HTTPS and proxy servers incurs cost. The technique using a session identifier is vulnerable to theft and alteration of the session identifier by an attacker. In addition, the detection rate of the network attack detection technique may be extremely low depending on the operating system [13]. It is difficult to distinguish between users and attackers if the IP values of users vary, or if they use the same band of networks. The proposed technique is authenticated using user information whenever a user contacts the server and requests a service. Therefore, even if the session identifier is stolen, hacking defense is feasible and security is enhanced by double encryption. The user information used in this technique consists of the device information of user and information regarding operating system; thus, the proposed technique can be defended in the following cases. First, if a hacker uses the same IP value or the same network band as the user, the proposed technique can distinguish between the user and the attacker, even if the stolen session identifier is used to request the service. Second, if a hacker uses a device that is different from that of the user, the proposed technique can be identified as an attacker. Third, even if a hacker can use a user’s device if the account information in the operating system is different, it can be distinguished as an attacker or normal user. Therefore, this paper addresses the problems of the existing web session hijacking defense techniques and proposes a more stable ATEUI (authentication of transposition-encrypted user information (ATEUI) technique with double encryption.


Related Work

Web Session Hijacking
Web session hijacking is an attack in which an attacker intercepts a session in the communication of a web service between a user and a server, and disguises itself as a general user through unauthorized access [2, 3]. In Fig. 1, web session hijacking using a session identifier is divided into session fixation and session identifier hijacking attacks [3]. The session fixation attack allows the user to access the server with the attacker’s session identifier after the attacker normally connects to the server to obtain a session [14]. Session identifier hijacking attacks are divided into cross-site scripting (XSS) attacks, session identifier guess attacks, and network traffic sniffing attacks [2]. An XSS attack stores malicious script code in the server, causing the user to execute the stored malicious script on a browser and hijack a session [15, 16]. Session identifier guessing attacks include a technique of systematically and repeatedly guessing a session identifier and a technique of brute-force attacks by guessing at random [2, 14]. The network traffic sniffing attack studied in this paper is a technique in which an attacker intercepts data traffic transmitted between users and servers in network communication. The attacker analyzes the intercepted traffic and hijacks the active session of the user. The attacker sniffs the session identifier of the URL character or cookie header field in the request and response messages transmitted during the user and server communication. Sniffing refers to the act of eavesdropping on data traffic transmitted over a network [2]. The server can limit the use of the user scripts. Even if the server increases security by creating a session identifier, an attacker can sniff and exploit the data transmitted in the communication between the user and server [3].

Defense of Web Session Hijacking
Existing defense techniques against web session hijacking attacks are as follows: a technique that uses HTTPS, which is a secure socket of the network; a technique that uses a proxy server; a technique that detects attacks internal and external to the network; and a technique that uses a session identifier [2, 3, 8, 12, 13]. HTTPS is an advanced hypertext transmission protocol, a communication protocol that uses network security sockets [6, 7], equipped with data protection and security against various attacks, such as man-in-the-middle attacks, eavesdropping, and alteration. The transmitted data are encrypted using transport layer security (TLS) or secure sockets layer (SSL) [2, 6, 7]. Despite these advantages, they are vulnerable to attack technologies, such as SSL strips, which allow man-in-the-middle attacks [2]. If there is a switch between HTTPS and HTTP pages in the operating site, or if they are mixed, they are exposed to various attacks, and the speed is slower than that of HTTP owing to encryption. Moreover, there is the disadvantage that costs are incurred when passing through a paid certification authority, and the validity period of the certificate is short when it is used free of charge; therefore, it must be updated with complex settings for each period [2, 6, 7]. One technique for defending against attacks using a proxy server is to manage session identifiers with a proxy server. The proxy server refers to a computer system that allows clients to indirectly access other network services and acts as a relay in communication between the client and server [10, 11]. The defense technique separates the session identifier existing in the HTTP header from the communication between the user and server and manages it separately using a proxy server [12]. However, to use this technique, additional proxy servers are required, which incurs costs and requires a complex configuration. Techniques for detecting attacks on a network are divided into those for detecting attacks outside and inside the network. Inside the network, the sniffer is detected as a message response through a broadcast using the Internet Control Message Protocol (ICMP). Outside the network, filtering is used to detect the IPs of users and attackers. However, there is a problem that the probability of detecting an attack inside the network does not reach an appropriate level depending on the security setting or operating system [13]. For detection from outside the network, if the user uses a dynamic IP, the IP may change depending on the connection environment. In particular, it is difficult to distinguish between a user and an attacker when the IP is changed owing to the movement of user to another area in the wireless network and when the attacker and user communicate in the same network. The technique of using the session identifier is used by encrypting the session identifier, which the session identifier includes a count, and the session identifier is created by adding another value [2, 8]. However, the technique of encrypting a session identifier is useless when an attacker steals and uses the encrypted session identifier through a sniffing attack. There are two techniques for including the count in the session identifier: counting the session value in the program code and counting techniques including a separate variable. Therefore, the attacker does not obtain the correct count value. However, if the attacker steals the session identifier, the attacker and the user can make a request to the server with the same count value. If the attacker’s reset request or session reissuance request is successful, the attacker may take the count value. The technique of including other values in the session identifier is a PHP-based technique for creating a session identifier by adding a USER_AGENT [17, 18] value representing browser information or a network IP value REMOTE_ADDR [18, 19] to the session identifier. In this technique, if the attacker uses the same version of the browser, the USER_AGENT value is the same as that of the user; therefore, security is poor. When a user moves through a wireless network, the IP address changes according to the region, which can misidentify the user as an attacker. Moreover, if an attacker uses the same network, it is vulnerable to an attack because the IP address reaching the server may be the same.

Data Encryption
The data transmitted over the network are encrypted for security. The basic encryption operations are substitution and transposition. Substitution is a technique of hiding the content of plain text by replacing letters or numbers in plain text with other letters or numbers. Transposition is a technique for changing the contents of plain text by altering the position and order of letters or numbers in the plain text. There are two types of ciphers, classical and modern. In classical ciphers, transpositions change the position of characters and substitutions change characters into other characters. Modern ciphers include symmetric and public key ciphers. Symmetric key ciphers include the data encryption standard (DES), triple-DES, and advanced encryption standard (AES), and public key ciphers include the Diffie-Hellman key exchange (DH) and RSA (Rivest-Shamir-Adleman) [20, 21]. In modern ciphers, publickey ciphers are mainly used. DH utilizes the complexity of discrete algebraic calculations and is vulnerable to man-in-the-middle attacks and DoS[22, 23]. RSA was developed based on the difficulty of prime factorization and is currently widely used [24]. In this paper, we propose a combination of a simple transposition cipher, classical cipher in user information data, and modern cipher RSA in network communication.


ATEUI Technique

Structure and Components of ATEUI
Fig. 2. The web session hijacking attacks of the session applied ATEUI techniques.


The ATEUI technique is an authentication technique that uses all encrypted user information and defends against network traffic sniffing attacks among web session hijacking protection techniques. The ATEUI technique is presented in a flow chart in Fig. 2. When a login request is made, the user information transmitted as in ① is stored on the server as in ②, and the session ID issued from the server as in③is used for authentication. If the hacker requests user information by performing a session hijacking attack, as shown in ④, the hacker’s information is sent along with the session ID, as shown in ⑤. When comparing the server as shown in ⑥, the session ID is the same, but the user information stored in the server and the information value of the hacker are different; thus, it can be confirmed that the person who requested the information is not a normal user. In this process, all the user information transmitted is pre-encrypted for data security and stability, and then RSA encryption-decryption is performed each time.
The components and scope of user information used in ATEUI techniques to defend against web session hijacking attacks consist of five items: (1) identifier of the current logged account of the operating system of the user, (2) BIOS (basic input/output system) serial number of the user device, (3) mainboard serial numbers of user devices, (4) user device system UUID (universally unique identifier) values, and (5) increase in random number after random number generation.
Components (1)–(4) are used as values for comparing user information when determining a normal user in the server, and component (5) is used as a count value to compare the number of requests. Component (1) uses the identifier of the currently logged-in account in the operating system used by the user. When individuals, organizations, and companies use a device’s operating system, they use a separate account; hence the operating system users are also distinguished, and user information changes. Even if an attacker steals a user session with another account in the operating system, the account information is different; therefore, it can be defended. Components (2)–(4) are the user’s device value, and when the device is changed, the user information is also changed. This can prevent a user’s session hijacking attack because the device information is different, even when the operating system is copied to another device. Component (2) uses the serial number of BIOS, component (3) uses the serial number of the motherboard, and component (4) uses the device system’s UUID value. Component (5) is the user’s request count, and a constant value is counted and used whenever user information is transmitted based on a random number generation value. It is possible to compare the number of requests made by the user with the changing count value, and a different value is generated each time the encryption is performed, further enhancing the stability.

Transposition Encryption and RSA Encryption of Data
Encryption is performed to prevent the risk of hacking during the entire network transmission process. Encryption is performed in two stages by combining the classical cipher (simple transposition cipher) and modern cipher (RSA). As shown in Fig. 3, the encryption steps are as follows. The plain-text data of the user information are converted into encrypted text using a transposition cipher prior to network transmission. It is then encrypted again with the RSA public key sent by the server and transmitted. The ciphertext received by the server is decrypted with the RSA secret key and converted into plaintext data again using the transposition cipher.

Fig. 3. Data encryption procedure.


User information data are preprocessed using a transposition cipher. User information undergoes a pre-processing process of rearranging the order of data before being encrypted with the RSA encryption technique. In this paper, this is called transposition-encrypted user information, TEUI. The transposition cipher is shown in Fig. 4. The transposition cipher exchanges certain sections of user information data. In this figure, A to H are certain sections of the data that combine user information and session ID. Exchange A–D in Section 1 and E–H in Section 2, and relocate. The sections are divided into two parts, as shown in Fig. 4, but can be divided into several parts, as needed by a developer. This operation is performed before and after encryption.

Fig. 4. Transposition cipher of data.


Transmission and Storage
When a user requests access to a web page, the user information goes through a transmission step and server storage step. The detailed flow of this step is shown in Fig. 5. When the user first requests access to the server, the server creates a session and responds to the user as shown in ①. At this time, the server sends PK and RSA public keys together. User information is transposed and encrypted, as shown in ②, encrypted with an RSA public key, and transmitted to the server. As shown in ③, the server decrypts user information with an RSA private key, converts the transposed cipher text to plain text, and stores it in storage. The server responds to the user request, and Fig. 5 is connected to the comparison step shown in Fig. 6 of Section 3.4.

Fig. 5. Flow chart of transmission and storage step.


Comparison and Handling of Abnormal Access
When a user requests a normal login, the server compares the user information that sends the request to the user information stored in the server. The flow of the comparison step is illustrated in Fig. 6.
When the user sends the encrypted user information when requested, as shown in ①, the server decrypts it using the RSA private key, as shown in ②. Subsequently, the server checks whether it matches with the user information stored in the server, as shown in ③. The comparison data are specified in the components of Section 3.1. If the comparison result is same, it is considered as a normal user and processed as Ⓒ, otherwise, it is an abnormal user and processed as Ⓑ. Ⓐ in Fig. 6 is the next process of “SERVER, Response(LoginPage) + Session” in Fig. 5. From the results of comparison, if it is determined as an abnormal user, then it proceeds with an abnormal connection processing. The flow of abnormal connection processing is illustrated in Fig. 7. If the server compares the user information and determines that it is an abnormal user, it records a log and returns to an error page or block. Meanwhile, the log records an abnormal user’s user information, MAC address, and IP address, as shown in ①. The error page is returned only up to a total of four times, as shown in ②, after which the MAC address or IP address of the abnormal user is blocked, as shown in ③. Considering the possibility of a data error occurring during communication with the server by a normal user, it was set to return up to four error pages. Ⓑ in Fig. 7 is Ⓑ that is executed when the result of ① in Fig. 6 is “False.”

Fig. 6. Flow chart of the comparison stage.


Fig. 7. Flow chart of abnormal connection processing.


Normal User Logout
When logging out, if user information is compared and determined to be a normal user, normal termination is performed. A flow chart of normal user logout processing is shown in Fig. 8.

Fig. 8. Flow chart of normal user logout.


In Fig. 8, Ⓒ is the continuation of the process from Ⓒ of Fig. 6, and Ⓑ in Fig. 8 is the process from Fig. 7 to Ⓑ. When a normal user logs out, the encrypted information (①) of the user who wants to log out from the server is compared with the user information (②) stored in the server. If both the values are same, it is logged out as in ③, and the user information stored as in ④ is deleted. If the result of comparison is false as shown in ⑤ in Fig. 8, move to Ⓑ in Fig. 7 and perform abnormal connection processing.


Implementation and Experiment

Implementation
The implementation environment of the proposed defense technique is presented in Table 1. XAMPP—Apache(2.4.43), PHP(7.4.5), openssl(0.9.8k)—is used as a server program, and the development languages are PHP(7.4.5),JavaScript, jQuery(3.5.1), and JSEncrypt(RSA encryption).

Table 1. Implementation environment
Attacker Server Client
CPU Intel Core i7-4600M Intel Atom N470 Intel Core i5-3320M
Memory 8 GB 2 GB 8 GB
OS Windows 7 64-bit Windows 7 64-bit Windows 7 64-bit
Platform IE11, Wireshark XAMPP IE11
Windows and Internet Explorer are set as the implementation environments, and the logged-in account information of the operating system is used as user information. We implemented it to save log records of abnormal access and user information in a general file. Every time a user requests, the user’s information is compared with that stored in the server to find out whether it is a normal user or a hacker. Then, IP and MAC are not used as data because the comparative IP is liable to change and the MAC address is possible to be changed by replacing the network device. In this paper, the comparison data are the user information defined in Section 3.1.

Experiment
We investigated whether the proposed ATEUI technique can more stably defend against the existing one. The target of the experiment excludes costly techniques and techniques in which the experimental results vary depending on the operating system and settings. In addition, we selected a technique that utilizes a session technique with increasing values and an encrypted session identifier technique. Web session hijacking attack experiments were conducted using four defense techniques. Defense techniques are session identifier techniques with set validity times, session identifier techniques with increasing values, encrypted session identifier techniques, and the proposed ATEUI techniques. An attacker eavesdrops a user packet to obtain session information from the packet. An attacker uses this to log in and request information from the server, pretending to be the user. Furthermore, a program for eavesdropping attacker packets used “Wireshark.” The procedure and results of four types of web session hijacking attack experiments were as follows.

Session identifier techniques with a set validity time
Existing session identifiers cannot be used after the validity time has elapsed, if the session identifier is used with a set validity time. However, if an attacker steals a session identifier within its validity time, it can request services. Therefore, such an attack experiment is performed. The contents of the experiment with the defense technique using the session identifier with a set validity time are shown in Fig. 9. In ①, the user sends a request to connect to the server, and the server responds to the request, and simultaneously, it creates and issues a session. In ②, the user requests a login page from the server and the server responds. In ③, when the user logs into the server, it responds to the login. In this process, the attacker intercepts the packet between the user and the server, as shown in ④, and steals the session identifier of the user from the intercepted packet, as shown in ⑤. When the attacker sends a request to the server, as shown in ⑥, the server misinterpret it as a normal user and responds accordingly. At this time, the user receives a response to the request, as shown in ⑦, and thus, does not recognize that it has been hacked.

Fig. 9. Experimental diagram of session identifier techniques with a set validity time.


Session identifier techniques with increasing values
If the session identifier value is increased, it is difficult to attack, because the session value changes every time a user requests a service. However, because an attacker can request the service by hijacking the session between the user requesting the service and requesting it again, such an attack experiment was conducted. The contents of the experiment with the defense technique using the session identifier, whose value is increased, are as follows. Fig. 10 shows the flow of the attack experiment.
In ①, the server issues a session in response to a connection request. At ②, it counts the session ID and sends the requested response with this value. At ③, when the user logs into the server, it responds to the login. The server response value is the counted session ID. In ④ and ⑤, the attacker steals the session identifier of the user and sets the session identifier to be used. If an attacker sends a request to the server, as shown in ⑥, the server considers the attacker as a normal user. If the user’s request is later than the attacker’s request, the session count is changed, and the correct response cannot be received, as shown in ⑦.

Fig. 10. Experimental diagram of session identifier technique with increasing values.


Encrypted session identifier technique
Encrypting session values makes it difficult to verify content. However, an attacker can use an encrypted session identifier if the encrypted session value has been stolen. An experiment on this type of attack was conducted. The contents of the experiment with the defense technique using the encrypted session identifier are as follows. Fig. 11 shows the flow of the attack experiment.

Fig. 11. Experimental diagram of encrypted session identifier technique.


In ①, the server issues a session in response to a connection request. In ②, the user requests a login page from the server and the server responds accordingly. In Step ③, when the user logs in, the server encrypts the session, responds to the login, and sends. In ④ and ⑤, the attacker steals the session identifier of the user and sets the session identifier to be used. If an attacker sends a request to the server, as shown in ⑥, even though the session is encrypted, the server mistakes it as a normal user. Normal users can also request from the server, as shown in ⑦.

Proposed ATEUI techniques
The contents of the experiment with the defense technique applying ATEUI are as follows. Fig. 12 shows the flow of the attack experiment. As shown in ①, when a user first connects to a web application, he/she sends a request to the server. At this time, the server generates a session identifier, issues it to the user, and responds by sending the RSA public key along with it. When a user logs in, the pre-encrypted user information is encrypted with the RSA and sent to the server along with a request.
As shown in ②, the server stores and responds to user information in server storage. Step ③ compares the user information stored in the server's storage with the user information sent when the login request is made and responds in the case of normal access. In ④ and ⑤, the attacker steals the user’s session identifier and sets the session identifier to be used. At this time, the server compares the attacker’s information with the user information stored in Step ⑥. Because the compared values are different, the server determines it as an abnormal access and responds with an error page, as shown in ⑦. Considering network errors or data corruption in communication, up to four abnormal accesses are responded to with an error page. The server responds with access denied more than five times. In the case of a normal user, if the compared information as shown in ⑧ is the same, the server determines that it is a normal access and responds to the user’s request as shown in ⑨.

Fig. 12. Experimental diagram of defense technique applying ATEUI.


Results and Discussion
This section provides the results of attack experiments using the four defense techniques. It compares the average performance time taken in an experiment with the results of the responses to requests during a hacking experiment. The results of the experiments are discussed. A comparison on how the hackers are perceived in these experiments and response processing to requests is presented in Table 2. Techniques that employ session identifiers with a set validity time, session identifiers with increasing values, and encrypted session identifiers misperceive hackers as end-users. Therefore, it does not send error messages or restrict messages to hackers. This results in incorrect responses to hacker requests. However, the proposed technique, ATEUI, correctly recognizes the hacker as an abnormal user and sends an error message for the hacker’s request. If a request is repeated more than five times, it sends a restraining message and properly handles the hacker’s request.

Table 2. Comparison of results of web session hijacking attack experiments
Experimental type Hacker awareness Response to request
Session ID with a set validity time Misrecognized as a normal user Incorrect response
Session ID with increased value Misrecognized as a normal user Incorrect response
Encrypted session ID Misrecognized as a normal user Incorrect response
Proposed ATEUI Normal recognition as an abnormal user Correct response
A comparison of the mean performance times of the experiments employing various defense techniques is presented in Table 3. The rendering time in Table 3 is the amount of time it takes for a browser to display a web page, and the steps of increasing values, authentication, and encryption are performance steps that affect security and safety. The session identifier techniques with a set validity time was the fastest one with only 1.35 ms overall processing time. The technique of increasing the value of the session identifier consumed 0.35 ms to count and 1.42 ms to process, resulting in a total of 1.77 ms. The encrypted session identifier technique spent 6.24 ms to encrypt and 1.70 ms to process, thus taking a total of 7.94 ms. The ATEUI technique consumed 63.15 ms of user authentication time, 6.63 ms of encryption time, and 2.29 ms of other processing time. The ATEUI technique was the longest in terms of time expended, that is, 72.7 ms.

Table 3. Comparison of average performance times
Experimental type Performance time (ms)
Rendering Increasing values Authorized Encrypted
Session ID with a set validity time 1.35 - - -
Session ID with increased value 1.42 0.35 - -
Encrypted session ID 1.70 - - 6.24
Proposed ATEUI 2.29 - 63.15 6.63
Among the four techniques, session identifier techniques with a set validity time have the fastest overall processing time; however, the session identifiers being exposed, make them highly vulnerable to attack. The technique of increasing the value of the session identifier increases the value of the session identifier each time a normal user requests service. An attacker can then hijack session identifiers in the middle of normal users’ service exploitation to obtain an increased session identifier value. Encrypted session identifier techniques encode session identifiers; however, attackers can attack encrypted session identifiers by hijacking them. The proposed ATEUI technique had an overall processing time of less than one second. This time is necessary to ensure security and safety, and includes authentication and encryption steps using user information. Consequently, we learned that existing defense techniques are vulnerable to web session hijacking attacks as they do not have authentication and encryption stages. We confirmed that the proposed ATEUI technique is more reliable than conventional attack defense techniques.


Conclusion

Web applications are particularly vulnerable to web session hijacking attacks. Existing defense techniques incur cost, and it is difficult to defend them according to the operating system or network environment; if the session identifier itself is stolen, it is not easy to defend against the hacker’s abuse of the identifier. However, for the ATEUI technique, the cost is low and the operating system is not restricted. When a hacker requests information from the server with a stolen session identifier, even if it attacks using the user’s IP value or the same network bandwidth, the user and attacker can be distinguished. The ATEUI technique uses user information in addition to a session identifier for user authentication of web applications. In this case, transposition encryption and RSA encryption are used together to enhance the security of the network communication. Considering the encryption processing speed and data security, simple transposition encryption for double encryption was added to the public key encryption technique. When the user transmits a connection request message to the server, the user information is transmitted along with it, and the server stores the transmitted user information and compares it with the user information transmitted by the user whenever there is a request for information from the logged-in user. The risks of hijacking and tampering are low because they are secured by using the user’s device and operating system information. The values considered in the user information are the user’s device values, such as BIOS serial number of the device, mainboard serial number of the user device, and system UUID value of the user device. Hence, the user information changes when the device is changed. Therefore, even if the operating system is copied to another device, it is feasible to defend against attacks. A hacking comparison experiment was conducted between the ATEUI technique proposed in this paper and the three existing techniques to confirm the safety and security of web session hijacking attacks. Only the ATEUI technique recognizes the hacker as an abnormal user and processes the response correctly. It was confirmed that the ATEUI technique eliminated the problems of existing defense techniques and stably defend against attacks by reinforcing the encryption technique for data transmission. However, when it comes to the execution time of each step, because encryption and decryption are performed every time for data security, a significant amount of time is required. In a future study, we will focus on a technique that can ensure security and safety while reducing the execution time of encryption and decryption in a network environment.


Author’s Contributions

Conceptualization, WSH. Methodology, WSH, JGS, JSP. Validation, WSH, JGS. Investigation, WSH. Writing—original draft preparation WSH. Writing—review and editing, WSH, JGS, JSP. Supervision, JSP. Project administration, JGS, JSP. Funding acquisition, JSP.


Funding

None.


Competing Interests

The authors declare that they have no competing interests.


Author Biography

Author
Name : Woo Seob Hwang
Affiliation : Korea National Open University
Biography : He received received his B.S. and M.S. degrees in Computer Science from Korea National Open University, Seoul, Korea in Feb. 2018 and Aug. 2020 respectively.His research interests are in Web Programming and Web Security.

Author
Name : Jin Gon Shon
Affiliation : Korea National Open University
Biography : He received the BSc degree in mathematics and the MS and PhD degrees in computer science from Korea University, Seoul, Korea. Since 1991, he has been with the Department of Computer Science, Korea National Open University (KNOU). He had been a Visiting Professor for one year from August 1997 at State University of New York (SUNY) at Stony Brook, USA. After serving the Head of Information & Computer Center and the Head of e-Learning Center, Professor Shon had established the Department of e-Learning, the first master program of e-Learning in Korea, and served as the Chair of the Department until 2010. For two years after that, he had been working for KNOU as Director of the Digital Media Center, where all of KNOU e-learning contents and TV programs are produced. His research interests are in computer networks, distributed computing, and ITLET (Information Technology for Learning, Education, and Training) as a member of Korean Delegation to ISO/IEC JTC1/SC36 since 2000. He has made presentations in many conferences, and he won the Best Paper Award (Gold Medal) in the 24th AAOU Annual Conference in 2010. He has also published over 30 scholarly articles in the noted journals and written several books on computer science and e-learning.

Author
Name : Ji Su Park
Affiliation : Jeonju University
Biography : He received his B.S., M.S. degrees in Computer Science from Korea National Open University, Korea, in 2003, 2005, respectively and Ph.D. degrees in Computer Science Education from Korea University, 2013. He is currently a Professor in Dept. of Computer Science and Engineering from Jeonju University in Korea. His research interests are in Mobile cloud computing, Cloud computing, Distributed system, and AIoT. He is employed as associate editor of Human-centric Computing and Information Sciences (HCIS) by Springer, The Journal of Information Processing Systems (JIPS) by KIPS. He has received “best paper” awards from the CSA2018 conferences and “outstanding service” awards from CUTE2019 and BIC2020.


References

[1] H. Amintoosi, M. Nikooghadam, S. Kumari, S. Kumar, and C. M. Chen, “TAMA: three-factor authentication for multi-server architecture,” Human-centric Computing and Information Sciences, vo. 11, article no. 39, 2021. https://doi.org/10.22967/HCIS.2021.11.039
[2] A. K. Baitha and S. Vinod, “Session hijacking and prevention technique,” International Journal of Engineering & Technology, vol. 7, no. 2.6, pp. 193-198, 2018.
[3] P. Namitha and P. Keerthijith, “A survey on session management vulnerabilities in web application,” in Proceedings of 2018 International Conference on Control, Power, Communication and Computing Technologies (ICCPCCT), Kannur, India, 2018, pp. 528-532.
[4] W. J. Joe and H. S. Kim, “Host-based malware variants detection method using logs,” Journal of Information Processing Systems, vol. 17, no. 4, pp. 851-865, 2021.
[5] X. Feng, Q. Li, K. Sun, C. Fu, and K. Xu, “Off-path TCP hijacking attacks via the side channel of downgraded IPID,” IEEE/ACM Transactions on Networking, vol. 30, no. 1, pp. 409-422, 2022.
[6] P. O. Brissaud, J. Francois, I. Chrisment, T. Cholez, and O. Bettan, “Passive monitoring of https service use,” in Proceedings of 2018 14th International Conference on Network and Service Management (CNSM), Rome, Italy, 2018, pp. 219-225.
[7] D. G. N. Benitez-Mejia, A. Zacatenco-Santos, L. K. Toscano-Medina, and G. & Sanchez-Perez, “HTTPS: A phishing attack in a network,” in Proceedings of the 7th International Conference on Information Communication and Management, Moscow, Russian Federation, 2017, pp. 24-27.
[8] S. Calzavara, A. Rabitti, and M. Bugliesi, “Sub-session hijacking on the web: root causes and prevention,” Journal of Computer Security, vol. 27, no. 2, pp. 233-257, 2019.
[9] B. V. B. Manjula and R. L. Naik, “Pre-authorization and post-authorization techniques for detecting and preventing the session hijacking,” International Journal of Future Generation Communication and Networking, vol. 14, no. 1, pp. 359-371, 2021.
[10] T. Durieux, Y. Hamadi, and M. Monperrus, “Fully automated HTML and Javascript rewriting for constructing a self‐healing web proxy,” in Proceedings of the29th IEEE International Symposium on Software Reliability Engineering (ISSRE), Memphis, TN, 2018, pp. 1-12.
[11] P. B. Ambhore and K. A. Wankhade, “Proxy server FOR intranet security,” IOSR Journal of Computer Engineering, vol. 20, no. 2, pp. 1-14, 2018.
[12] N. Nikiforakis, W. Meert, Y. Younan, M. Johns, and W. Joosen, “SessionShield: Lightweight protection against session hijacking,” in Engineering Secure Software and Systems. Heidelberg, Germany: Springer, 2011, pp. 87-100.
[13] J. Louis, “Detection of session hijacking,” M.S. thesis, Department of Computer Science and Technology, University of Bedfordshire, Luton, England, 2011.
[14] C. A. Vlsaggio and L. C. Blasio, “Session management vulnerabilities in today's web,” IEEE Security & Privacy, vol. 8, n. 5, pp. 48-56, 2010.
[15] M. Singh, P. Singh, and P. Kumar, “An analytical study on cross-site scripting,” in Proceedings of2020 International Conference on Computer Science, Engineering and Applications (ICCSEA), Gunupur, India, 2020, pp. 1-6.
[16] P. Wang, J. Bangert, and C. Kern, “If it’s not secure, it should not compile: preventing DOM-based XSS in large-scale web development with API hardening,” in Proceedings of 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), Madrid, Spain, 2021, pp. 1360-1372.
[17] V. Satsyk, R. Grudetsky, O. Kuzmych, N. Bahniuk, L. Hlynchuk, and Y. Melnychuk, “Reduction of server load by means of CMS drupal,” in Proceedings of 2020 10th International Conference on Advanced Computer Information Technologies (ACIT), Deggendorf, Germany, 2020, pp. 523-528.
[18] M. Glet and K. Kaczynski, “Access logs: underestimated privacy risks,” International Journal of Electronics and Telecommunications, vol. 66, no. 3, pp. 405-410, 2020.
[19] B. M. P. P. Alam, R. Septiasari, and A. Amiruddin, “Applying MAC address-based access control for securing Admin's Login Page,” in Proceedings of 2019 6th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI), Bandung, Indonesia, 2019, pp. 292-296.
[20] W. Diffie and M. Hellman, “New direction in cryptography,” IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 472-492, 1976.
[21] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, vol. 21, no. 2, pp. 120-126, 1978. https://doi.org/10.1145/359340.359342
[22] J. H. Song, S. S. Kim, and M. S. Jun, “Diffie-Hellman based asymmetric key exchange method using collision of exponential subgroups,” KIPS Transactions on Software and Data Engineering, vol. 9, no. 2, pp. 39-44, 2020.
[23] A. S. Khader and D. Lai, “Preventing man-in-the-middle attack in Diffie-Hellman key exchange protocol,” in Proceedings of 2015 22nd International Conference on Telecommunications (ICT), Sydney, Australia, 2015, pp. 204-208.
[24] L. Megouache, A. Zitouni, and M. Djoudi, “Ensuring user authentication and data integrity in multi-cloud environment,” Human-centric Computing and Information Sciences, vol. 10, article no. 15, 2020. https://doi.org/10.1186/s13673-020-00224-y

About this article
Cite this article

Woo Seob Hwang1, Jin Gon Shon1, and Ji Su Park2,*, Web Session Hijacking Defense Technique Using User Information, Article number: 12:16 (2022) Cite this article 1 Accesses

Download citation
  • Recived11 July 2021
  • Accepted3 January 2022
  • Published15 April 2022
Share this article

Anyone you share the following link with will be able to read this content:

Provided by the Springer Nature SharedIt content-sharing initiative

Keywords