We describe a new attack against web authentication, which we call dynamic pharming. Dynamic pharming works by hijacking DNS and sending the victim’s browser malicious Javascript, which then exploits DNS rebinding vulnerabilities and the name-based sameorigin policy to hijack a legitimate session after authentication has taken place. As a result, the attack works regardless of the authentication scheme used. Dynamic pharming enables the adversary to eavesdrop on sensitive content, forge transactions, sniff secondary passwords, etc. To counter dynamic pharming attacks, we propose two locked same-origin policies for web browsers. In contrast to the legacy same-origin policy, which regulates cross-object access control in browsers using domain...
Session cookies constitute one of the main attack targets against client authentication on the Web. ...
Client authentication on the web has remained in the internet-equivalent of the stone ages for the l...
Web users are increasingly victims of phishing, spoofing and malware attacks. In this article, we di...
The Web’s principal security policy is the Same-Origin Policy (SOP), which enforces origin-based iso...
International audiencePharming attacks - a sophisticated version of phishing attacks - aim to steal ...
International audienceWith the deployment of "always-connected" broadband Internet access, personal ...
International audienceWe present new attacks and robust countermeasures for security-sensitive compo...
The standard solution for mutual authentication between human users and servers on the Internet is t...
Abstract—HTTPS is designed to protect a connection against eavesdropping and man-in-the-middle attac...
Today, entity authentication in the TLS protocol involves at least three complex and partly insecure...
Modern websites set multiple authentication cookies during the login process to allow users to rema...
The web has become a new, highly interactive medium. Many modern websites provide their users with t...
Browser-based defenses have recently been advocated as an effective mechanism to protect potentially...
Client authentication has been a continuous source of problems on the Web. Although many well-studie...
Abstract: In early days, web pages always use a state for keeping an authentication state between br...
Session cookies constitute one of the main attack targets against client authentication on the Web. ...
Client authentication on the web has remained in the internet-equivalent of the stone ages for the l...
Web users are increasingly victims of phishing, spoofing and malware attacks. In this article, we di...
The Web’s principal security policy is the Same-Origin Policy (SOP), which enforces origin-based iso...
International audiencePharming attacks - a sophisticated version of phishing attacks - aim to steal ...
International audienceWith the deployment of "always-connected" broadband Internet access, personal ...
International audienceWe present new attacks and robust countermeasures for security-sensitive compo...
The standard solution for mutual authentication between human users and servers on the Internet is t...
Abstract—HTTPS is designed to protect a connection against eavesdropping and man-in-the-middle attac...
Today, entity authentication in the TLS protocol involves at least three complex and partly insecure...
Modern websites set multiple authentication cookies during the login process to allow users to rema...
The web has become a new, highly interactive medium. Many modern websites provide their users with t...
Browser-based defenses have recently been advocated as an effective mechanism to protect potentially...
Client authentication has been a continuous source of problems on the Web. Although many well-studie...
Abstract: In early days, web pages always use a state for keeping an authentication state between br...
Session cookies constitute one of the main attack targets against client authentication on the Web. ...
Client authentication on the web has remained in the internet-equivalent of the stone ages for the l...
Web users are increasingly victims of phishing, spoofing and malware attacks. In this article, we di...