Lamisa, Kazi Farhat (2024) MEASURING IMPROPER TOKEN INVALIDATION IN REAL-WORLD WEB LOGINS. Masters thesis, Concordia University.
![[thumbnail of Lamisa_MASc_F2024.pdf]](https://spectrum.library.concordia.ca/style/images/fileicons/text.png) |
Text (application/pdf)
805kBLamisa_MASc_F2024.pdf - Accepted Version Restricted to Repository staff only until 18 December 2025. Available under License Spectrum Terms of Access. |
Abstract
In this thesis, we examine token invalidation flaws in real-world web applications.
While previous research has focused on cookie invalidation upon user logout, we investigate
the issue by examining token-based authorization in various contexts (e.g., user logout,
user verification, password recovery). Specifically, we focus on JSONWeb Tokens (JWTs)
to look for invalidation flaws, as JWTs are stateless and require web servers to implement
a separate invalidation mechanism for instant invalidation. To audit invalidation flaws, we
conduct a large-scale study on the top 1 million websites from Google’s Chrome User Experience
Report (CrUX). We develop an automated tool, LoginPlus that handles tasks such
as user registration, login and password recovery. Utilizing LoginPlus, first we identify
JWTs used to fetch resources from a web server while the user is authenticated and determine
whether these tokens are invalidated upon user logout. LoginPlus also handles all
emails sent during account creation and password recovery, identifying whether tokens included
in URLs sent to users for email verification or password recovery are invalidated
after a single use, checking if these URLs remain reusable over time. Finally, we evaluate
whether the websites invalidate all previously active sessions after a user resets their
password through the password recovery mechanism (e.g., ‘forgot password’).
Our analysis provides a comprehensive overview of the current state of invalidation issues
in token-based authorization schemes across real-world websites and reveals several
significant findings regarding token invalidation mechanisms in web authorization. Firstly, 85% of the websites using JWTs for authorization do not implement an explicit invalidation
mechanism upon user logout. Additionally, 2.67% of websites log users in into the
system via verification URLs directly, and 48% of these sites do not invalidate the tokens
in the verification URLs even after 24 hours. Furthermore, 13.8% of websites that allow
password recovery through email URLs do not invalidate the tokens after they have been
used once. Lastly, 54% of the websites where we successfully reset a password do not
invalidate previously active sessions.
| Divisions: | Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering |
|---|---|
| Item Type: | Thesis (Masters) |
| Authors: | Lamisa, Kazi Farhat |
| Institution: | Concordia University |
| Degree Name: | M.A. Sc. |
| Program: | Information Systems Security |
| Date: | 1 November 2024 |
| Thesis Supervisor(s): | Mannan, Mohammad and Youssef, Amr |
| ID Code: | 994931 |
| Deposited By: | Kazi Farhat Lamisa |
| Deposited On: | 17 Jun 2025 17:18 |
| Last Modified: | 17 Jun 2025 17:18 |
References:
[1] Burp suite. Available at https://portswigger.net/burp.[2] Easylist. https://easylist.to/index.html.
[3] Owasp application security verification standard (asvs). https://owasp.org/
www-project-application-security-verification-standard/.
[4] Bugmenot. https://bugmenot.com, 2014.
[5] M. Ahmed. Secrets patterns database. https://github.com/mazen160/se
crets-patterns-db/tree/master.
[6] S. Ahmed and Q. Mahmood. An authentication based scheme for applications using
json web token. In 2019 22nd International Multitopic Conference (INMIC), pages
1–6, 2019.
[7] Akanksha and A. Chaturvedi. Comparison of different authentication techniques and
steps to implement robust jwt authentication. In 2022 7th International Conference
on Communication and Electronics Systems (ICCES), pages 772–779, 2022.
[8] A. Alkhulaifi and E.-S. M. El-Alfy. Exploring lattice-based post-quantum signature
for jwt authentication: Review and case study. In 2020 IEEE 91st Vehicular Technology
Conference (VTC2020-Spring), pages 1–5, 2020.
55
[9] C. Ardi and M. Calder. The prevalence of single sign-on on the web: Towards the
next generation of web content measurement. In Proceedings of the 2023 ACM on
Internet Measurement Conference, IMC ’23, page 124–130, New York, NY, USA,
2023. Association for Computing Machinery.
[10] AZCaptcha. Auto captcha solver service and cheap captcha bypass service providerazcaptchas.
https://azcaptcha.com/.
[11] C. Beaman and H. Isah. Anomaly detection in emails using machine learning and
header information, 2022.
[12] S. Calzavara, H. L. Jonker, B. Krumnow, and A. Rabitti. Measuring web session
security at scale. Comput. Secur., 111:102472, 2021.
[13] M. Chatzimpyrros, K. Solomos, and S. Ioannidis. You Shall Not Register! Detecting
Privacy Leaks Across Registration Forms, pages 91–104. 02 2020.
[14] Q. Chen, P. Ilia, M. Polychronakis, and A. Kapravelos. Cookie swap party: Abusing
first-party cookies for web tracking. In Proceedings of the Web Conference 2021,
WWW’21, page 2117–2129, New York, NY, USA, 2021. Association for Computing
Machinery.
[15] L. Compagna, H. Jonker, J. Krochewski, B. Krumnow, and M. Sahin. A preliminary
study on the adoption and effectiveness of samesite cookies as a csrf defence. In 2021
IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pages
49–59, 2021.
[16] A. Dabrowski, G. Merzdovnik, J. Ullrich, G. Sendera, and E. Weippl. Measuring
cookies and web privacy in a post-gdpr world. In D. Choffnes and M. Barcellos,
editors, Passive and Active Measurement, pages 258–270, Cham, 2019. Springer International
Publishing.
56
[17] C. Developers. Chrome ux report. https://developer.chrome.com/doc
s/crux/.
[18] K. Drakonakis, S. Ioannidis, and J. Polakis. The cookie hunter: Automated blackbox
auditing for web authentication and authorization flaws. In Proceedings of the
2020 ACM SIGSAC Conference on Computer and Communications Security, CCS
’20, page 1953–1970, New York, NY, USA, 2020. Association for Computing Machinery.
[19] O. Ethelbert, F. F. Moghaddam, P. Wieder, and R. Yahyapour. A json token-based
authentication and access management schema for cloud saas applications. In 2017
IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud),
pages 47–53, 2017.
[20] O. Foundation. Html5 security cheat sheet. https://cheatsheetseries.o
wasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#loc
al-storage.
[21] M. Ghasemisharif, C. Kanich, and J. Polakis. Towards automated auditing for account
and session management flaws in single sign-on deployments. In 2022 IEEE
Symposium on Security and Privacy (SP), pages 1524–1524. IEEE Computer Society,
2022.
[22] M. Ghasemisharif, A. Ramesh, S. Checkoway, C. Kanich, and J. Polakis. O single
Sign-Off, where art thou? an empirical analysis of single Sign-On account hijacking
and session management on the web. In 27th USENIX Security Symposium (USENIX
Security 18), pages 1475–1492, Baltimore, MD, Aug. 2018. USENIX Association.
[23] Google. Puppeteer. https://github.com/puppeteer/puppeteer, 2021.
57
[24] M. Haekal and Eliyani. Token-based authentication using json web token on sikasir
restful web service. pages 175–179, 01 2016.
[25] N. Hong, M. Kim, M.-S. Jun, and J. Kang. A study on a jwt-based user authentication
and api assessment scheme using imei in a smart home environment. Sustainability,
9(7), 2017.
[26] L. Jannett, V. Mladenov, C. Mainka, and J. Schwenk. Distinct: Identity theft using
in-browser communications in dual-window single sign-on. In Proceedings of the
2022 ACM SIGSAC Conference on Computer and Communications Security, CCS
’22, page 1553–1567, New York, NY, USA, 2022. Association for Computing Machinery.
[27] M. B. Jones. JSON Web Algorithms (JWA). RFC 7518, May 2015.
[28] L. J´anoky, P. Ekler, and J. Levendovszky. Evaluating the performance of novel jwt
revocation strategy. Acta Cybernetica, 25, 08 2021.
[29] L. J´anoky, J. Levendovszky, and P. Ekler. An analysis on the revoking mechanisms
for json web tokens. International Journal of Distributed Sensor Networks,
14:155014771880153, 09 2018.
[30] D. Kats, D. Silva, and J. Roturier. Who knows i like jelly beans? an investigation into
search privacy. Proceedings on Privacy Enhancing Technologies, 2022:426–446, 04
2022.
[31] S. A. Khamis, C. F. M. Foozy, M. F. A. Aziz, and N. Rahim. Header based email spam
detection framework using support vector machine (svm) technique. In R. Ghazali,
N. M. Nawi, M. M. Deris, and J. H. Abawajy, editors, Recent Advances on Soft Computing
and Data Mining, pages 57–65, Cham, 2020. Springer International Publishing.
58
[32] K. Kubicek, J. Merane, A. Bouhoula, and D. Basin. Automating website registration
for studying gdpr compliance. pages 1295–1306, 05 2024.
[33] P. Kulkarni, J. R. Saini, and H. Acharya. Effect of header-based features on accuracy
of classifiers for spam email classification. International Journal of Advanced
Computer Science and Applications, 11(3), 2020.
[34] S. G. Morkonda, S. Chiasson, and P. C. van Oorschot. Empirical analysis and privacy
implications in oauth-based single sign-on systems. In Proceedings of the 20th Workshop
on Workshop on Privacy in the Electronic Society, WPES ’21, page 195–208,
New York, NY, USA, 2021. Association for Computing Machinery.
[35] P. Mouriya. Long-lived jwt - abuse and mitigation. https://blog.rootrwx.c
om/long-lived-jwt/.
[36] Y. Mundada, N. Feamster, and B. Krishnamurthy. Half-baked cookies: Hardening
cookie-based authentication for the modern web. In Proceedings of the 11th ACM on
Asia Conference on Computer and Communications Security, ASIACCS ’16, page
675–685, New York, NY, USA, 2016. Association for Computing Machinery.
[37] O. Panteli´c, K. Jovic, and S. Krstovi´c. Cookies implementation analysis and the
impact on user privacy regarding gdpr and ccpa regulations. Sustainability, 2022.
[38] T.-H. Pham, Q.-H. Vo, H. Dao, and K. Fukuda. Ssologin: A framework for automated
web privacy measurement with sso logins. In Proceedings of the 18th Asian
Internet Engineering Conference, AINTEC ’23, page 69–77, New York, NY, USA,
2023. Association for Computing Machinery.
[39] A. Rahmatulloh, R. Gunawan, and F. M. S. Nursuwars. Performance comparison of
signed algorithms on json web token. IOP Conference Series: Materials Science and
Engineering, 550, 2019.
59
[40] A. Rasaii, S. Singh, D. Gosain, and O. Gasser. Exploring the cookieverse: A multiperspective
analysis of web cookies, 2023.
[41] RFC Editor. Json web token (jwt). Technical Report 7519, 2015.
[42] G. E. Rodr´ıguez, J. G. Torres, P. Flores, and D. E. Benavides. Cross-site scripting
(xss) attacks and mitigation: A survey. Computer Networks, 166:106960, 2020.
[43] S. A. Roomi and F. Li. A Large-Scale measurement of website login policies. In 32nd
USENIX Security Symposium (USENIX Security 23), pages 2061–2078, Anaheim,
CA, Aug. 2023. USENIX Association.
[44] K. Ruth, D. Kumar, B. Wang, L. Valenta, and Z. Durumeric. Toppling top lists: evaluating
the accuracy of popular website lists. In IMC ’22: ACM Internet Measurement
Conference, page 374–387, New York, United States, October 2022. Association for
Computing Machinery.
[45] A. Senol, G. Acar, M. Humbert, and F. Z. Borgesius. Leaky forms: A study of email
and password exfiltration before form submission. In 31st USENIX Security Symposium
(USENIX Security 22), pages 1813–1830, Boston, MA, Aug. 2022. USENIX
Association.
[46] A. Senol, A. Ukani, D. Cutler, and I. Bilogrevic. The double edged sword: Identifying
authentication pages and their fingerprinting behavior. In Proceedings of the ACM on
Web Conference 2024, WWW ’24, page 1690–1701, New York, NY, USA, 2024.
Association for Computing Machinery.
[47] S. Sprecher, C. Kerschbaumer, and E. Kirda. Sok: All or nothing - a postmortem
of solutions to the third-party script inclusion permission model and a path forward.
In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P), pages
206–222, 2022.
60
[48] C. F. Torres, F. Willi, and S. Shinde. Is your wallet snitching on you? an analysis
on the privacy implications of web3. In 32nd USENIX Security Symposium (USENIX
Security 23), pages 769–786, Anaheim, CA, Aug. 2023. USENIX Association.
[49] S. Van Acker, D. Hausknecht, and A. Sabelfeld. Measuring login webpage security.
In Proceedings of the Symposium on Applied Computing, SAC ’17, page 1753–1760,
New York, NY, USA, 2017. Association for Computing Machinery.
[50] M.Westers, T.Wich, L. Jannett, V. Mladenov, C.Mainka, and A. Mayer. Sso-monitor:
Fully-automatic large-scale landscape, security, and privacy analyses of single signon
in the wild. ArXiv, abs/2302.01024, 2023.
[51] B. Xu, S. Jia, J. Lin, F. Zheng, Y. Ma, L. Liu, X. Gu, and L. Song. Jwtkey: Automatic
cryptographic vulnerability detection in jwt applications. In G. Tsudik, M. Conti,
K. Liang, and G. Smaragdakis, editors, Computer Security – ESORICS 2023, pages
263–282, Cham, 2024. Springer Nature Switzerland.
[52] Y. Zhou and D. Evans. SSOScan: Automated testing of web applications for single
Sign-On vulnerabilities. In 23rd USENIX Security Symposium (USENIX Security 14),
pages 495–510, San Diego, CA, Aug. 2014. USENIX Association.
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.
Repository Staff Only: item control page
Download Statistics
Download Statistics