Jump to content
Nytro

HITBGSEC 2015 - Dawid Czagan - Hacking Cookies in Modern Web Applications and Browser

By Nytro, in Tutoriale video

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

HITBGSEC 2015 - Dawid Czagan - Hacking Cookies in Modern Web Applications and Browsers

PRESENTATION MATERIALS:

Index of /materials/sg2015

PRESENTATION ABSTRACT:

Since cookies store sensitive data (session ID, CSRF token, etc.) they are interesting from attacker’s point of view. As it turns out, quite many web applications (including sensitive ones like bitcoin platforms) have cookie related vulnerabilities that lead for example to user impersonation, remote cookie tampering, XSS and more.

Developers tend to forget that multi-factor authentication will not help when cookies are insecurely processed. Security evaluators underestimate cookie related problems. Moreover, there are problems with secure processing of cookies in modern browsers and browser dependent exploitation can be used to launch more powerful attacks.

That’s why secure cookie processing (from the perspective of web application and browser) is a subject worth discussing. The following topics will be presented:

– cookie related vulnerabilities in web applications

– insecure processing of secure flag in modern browsers

– bypassing HttpOnly flag in Safari

– problem with Domain attribute in Internet Explorer

– cookie tampering in Safari

– underestimated XSS via cookie

– HTTP Strict Transport Security (HSTS)

– importance of regeneration

– and more

ABOUT DAWID CZAGAN

Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing.

Dawid shares his security bug hunting experience in his hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles (InfoSec Institute).

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...