Treffer: CAXSS: A Cookie Authentication Scheme Against XSS Attacks for HTTPS.

Although cookies introduced as session authentication tokens in Hypertext Transfer Protocol (HTTP) resolve its stateless limitation, their static nature introduces vulnerabilities to cross-site scripting (XSS) attacks. Attackers exploit unfiltered user input to inject malicious scripts into web applications, enabling theft of user cookies for session hijacking. While HTTP Secure (HTTPS) employs Transport Layer Security (TLS) to encrypt communications, it remains susceptible to client-side script injection vulnerabilities that bypass TLS protections. Current cookie session hijacking protections focus on credential security but remain vulnerable to link-layer attacks. To address this challenge, we propose a novel Cookie Authentication Scheme against XSS Attacks (CAXSS) for HTTPS. The CAXSS scheme uses signatures to the messages exchanged by the original HTTPS protocol to achieve mutual identity authentication. Specifically, clients authenticate cookies using digital signatures based on Elliptic Curve Cryptography (ECC), while servers reject unsigned cookies. This approach ensures that only legitimate clients can generate valid cookie credentials, thwarting unauthorized cookie reuse. The results of security analysis and performance evaluations demonstrate that the CAXSS scheme is secure and effective. [ABSTRACT FROM AUTHOR]

Copyright of Electronics (2079-9292) is the property of MDPI and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)