Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities

Автор: Black Hat

Загружено: 2024-01-26

Просмотров: 2544

Описание:

Cookies have a long history of vulnerabilities targeting their confidentiality and integrity. To address these issues, new mechanisms have been proposed and implemented in browsers and server-side applications. Notably, the updated cookie standard RFC6265bis improved the Secure attribute and introduced cookie prefixes to strengthen cookie integrity against network and same-site attackers, whereas the SameSite attribute has been touted as the solution to CSRF. On the server, token-based protections are considered an effective defense for CSRF in the synchronizer token pattern variant.

In this talk, we will focus on real-world security implications of cookie integrity issues and show how security mechanisms previously considered robust can be bypassed, exposing Web applications to session integrity attacks such as session fixation and cross-origin request forgery (CORF)....

By: Pedro Adão , Marco Squarcina

Full Abstract and Presentation Materials: https://www.blackhat.com/us-23/briefi...

Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities

Доступные форматы для скачивания:

Скачать видео mp4

Информация по загрузке:

Скачать аудио mp3

Похожие видео

Nothing but Net: Leveraging macOS's Networking Frameworks to Heuristically Detect Malware

Nothing but Net: Leveraging macOS's Networking Frameworks to Heuristically Detect Malware

Houston, We Have a Problem: Analyzing the Security of Low Earth Orbit Satellites

Houston, We Have a Problem: Analyzing the Security of Low Earth Orbit Satellites

PLUG: Dorothy in 2026 - Benjamin Lupton, January 2026

PLUG: Dorothy in 2026 - Benjamin Lupton, January 2026

Three New Attacks Against JSON Web Tokens

Three New Attacks Against JSON Web Tokens

Web App Pentesting - HTTP Cookies & Sessions

Web App Pentesting - HTTP Cookies & Sessions

Breaking LLM Applications – Advances in Prompt Injection Exploitation

Breaking LLM Applications – Advances in Prompt Injection Exploitation

Backdooring and Hijacking Azure AD Accounts by Abusing External Identities

Backdooring and Hijacking Azure AD Accounts by Abusing External Identities

Reconsidering Self-XSS And Exploring Novel Attacks With Cookie Tossing - Thomas Houhou

Reconsidering Self-XSS And Exploring Novel Attacks With Cookie Tossing - Thomas Houhou

Something Rotten in the State of Data Centers

Something Rotten in the State of Data Centers

HTTP Cookies Crash Course

HTTP Cookies Crash Course

Physical Attacks Against Smartphones

Physical Attacks Against Smartphones

The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders

The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders

What Does an LLM-Powered Threat Intelligence Program Look Like?

What Does an LLM-Powered Threat Intelligence Program Look Like?

Насколько легко копировать сеансовые токены и как от этого защититься?

Насколько легко копировать сеансовые токены и как от этого защититься?

Атака с перехватом сеанса | Кража идентификатора сеанса и файлов cookie | SideJacking

Атака с перехватом сеанса | Кража идентификатора сеанса и файлов cookie | SideJacking

Но что такое нейронная сеть? | Глава 1. Глубокое обучение

Но что такое нейронная сеть? | Глава 1. Глубокое обучение

Dark Web РАСКРЫТ (БЕСПЛАТНО + Инструмент с открытым исходным кодом)

Dark Web РАСКРЫТ (БЕСПЛАТНО + Инструмент с открытым исходным кодом)

HITCON CMT 2019 - The cookie monster in your browsers

HITCON CMT 2019 - The cookie monster in your browsers

КАК УСТРОЕН TCP/IP?

КАК УСТРОЕН TCP/IP?

USENIX Security '23 - Cookie Crumbles: Breaking and Fixing Web Session Integrity

USENIX Security '23 - Cookie Crumbles: Breaking and Fixing Web Session Integrity