Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities

Security

Discover the vulnerabilities in web session integrity and learn how to implement robust security measures to protect your application from cookie-based attacks.

Key takeaways
  • Cookies can be vulnerable to session fixation and cross-site request forgery attacks due to legacy design and implementation issues.
  • The set-cookie attribute is not secure and can be manipulated by an attacker.
  • Nameless cookies are still supported in modern browsers and can be used to bypass security restrictions.
  • The path attribute can be used to bypass host prefixes and access cookies from other domains.
  • The secure attribute is not enough to ensure cookie security, as an attacker can still overwrite the session cookie.
  • The strict-secure attribute is not implemented consistently across browsers and frameworks.
  • The synchronizer token pattern is not effective against same-site attackers.
  • The RFC 6265bis standard does not provide sufficient guidance on cookie security.
  • Most web frameworks and applications are still vulnerable to cookie-based attacks.
  • Implementing security measures such as HSTS and HTTPS can help mitigate cookie-based attacks.
  • Web developers and framework developers need to prioritize cookie security and implement robust security measures to protect against attacks.

More talks

Lets Talk About Privacy: To Know Or Not To Know Is The Question I Blockchain Futurist Conference

Decoding Modern Tech: Cloud, APIs, Wasm, Security, & More • Daniel Bryant & Matt Turner

Talks - Vikram Waradpande: You've got trust issues, we've got solutions: Differential Privacy

MRMCD2024 Bumpy Roads: Car(e) about sharing your insecurities?

How hacking works - Web edition - Espen Sande-Larsen - NDC Oslo 2024

Minko Gechev | Converging Web Frameworks | ViteConf 2024

Security By Design • Ana Oprea • GOTO 2023

🚀 Securing Your Infrastructure with Vault (Paul Stack)