HTTP Session Identification Research project 2 Kevin de Kok Marcus - - PowerPoint PPT Presentation

HTTP Session Identification

Research project 2 Kevin de Kok Marcus Bakker 30 June 2010

30-06-10 HTTP Session Identification 2

Agenda

• Introduction
• Research question
• Project scope
• Dataset
• Identification methods
• Conclusion
• Future work
• Questions?

30-06-10 HTTP Session Identification 3

Introduction (1)

• What is a HTTP session?

30-06-10 HTTP Session Identification 4

Introduction (2)

• The need to identify HTTP sessions [1]
• Not trivial to identify HTTP sessions
• HTTP is a sessionless protocol
• Request - Response

[1]

• T. Kinkhorst and M. van Kleij. Busting the ghost on the web: real time

detection of drive-by-infections, June 2009. URL http://www.delaat. net/~cees/sne-2008-2009/p46/report.pdf.

30-06-10 HTTP Session Identification 5

Research question

• How can HTTP sessions be distinguished from

each other?

30-06-10 HTTP Session Identification 6

Project scope

• RFC 2616
• The methods to identify a HTTP session will be

developed for web 1.0 (e.g. no Ajax)

• The HTTP session identification will be

executed from a central point in the network (no host-based detection)

30-06-10 HTTP Session Identification 7

Dataset

• Labsite (bookmark)
• Opened three hyperlinks
• Security.nl (bookmark)
• Opened three hyperlinks
• 8 HTTP sessions (2 bookmarks + 6 hyperlinks)

30-06-10 HTTP Session Identification 8

Identification methods

• Two categories of methods:
• Start of a HTTP session
• HTTP message correlation

30-06-10 HTTP Session Identification 9

Start of a HTTP session

• Time between successive fetches
• Hyperlink present at GET header
• No referrer

30-06-10 HTTP Session Identification 10

Time between successive fetches(1)

• 10 – 600ms [2]

[2]

• Y. Bhole and A.Popescu. Measurement and analysis of http traffic, December 2005.

t > AOT

Proof of Concept

30-06-10 HTTP Session Identification 11

Time between successive fetches(2)

• “Slow” browsing (mobile phone?)

30-06-10 HTTP Session Identification 12

Hyperlink present at GET header(1)

• Hyperlink

Hyperlink: 1/index.html GET header: /rp2/new_website/1/index.html

Hyperlink HTTP request message HTML Body

30-06-10 HTTP Session Identification 13

Hyperlink present at GET header(2)

• 301 response message contains a hyperlink

30-06-10 HTTP Session Identification 14

No referrer(1)

• Address bar
• Bookmark

Proof of Concept

30-06-10 HTTP Session Identification 15

No referrer(2)

• Javascript removes the referrer

30-06-10 HTTP Session Identification 16

HTTP message correlation

• HTML body HTTP GET correlation
• Link the referrers

30-06-10 HTTP Session Identification 17

HTML body HTTP GET correlation(1)

URI embedded object: lokaal_plaatje.png GET header: /rp2/new_website/lokaal_plaatje.png

Picture HTTP request message HTML Body

30-06-10 HTTP Session Identification 18

HTML body HTTP GET correlation(2)

• Javascript:

document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E %3C/script%3E"));

30-06-10 HTTP Session Identification 19

Link the referrers(1)

Host+GET header: bulbasaur.studlab.os3.nl/rp2/new_website/ Referrer: http://bulbasaur.studlab.os3.nl/rp2/new_website/

HTTP request message HTML Body image

30-06-10 HTTP Session Identification 20

Link the referrers(2)

• Javascript can change the referrer:

http://pagead2.googlesyndication.com/pagead/ads? client=<VERY LONG STRING>

30-06-10 HTTP Session Identification 21

Conclusion

• Start of a HTTP session
• Time between successive fetches
• Hyperlink present at GET header
• No referrer
• HTTP message correlation
• HTML body HTTP GET correlation
• Link the referrers

30-06-10 HTTP Session Identification 22

Future work

• Large scale testing
• Time between successive fetches for mobile

phones

• Web 2.0

30-06-10 HTTP Session Identification 23

Questions?

?