Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities

Security

Discover the vulnerabilities in web session integrity and learn how to implement robust security measures to protect your application from cookie-based attacks.

Key takeaways
  • Cookies can be vulnerable to session fixation and cross-site request forgery attacks due to legacy design and implementation issues.
  • The set-cookie attribute is not secure and can be manipulated by an attacker.
  • Nameless cookies are still supported in modern browsers and can be used to bypass security restrictions.
  • The path attribute can be used to bypass host prefixes and access cookies from other domains.
  • The secure attribute is not enough to ensure cookie security, as an attacker can still overwrite the session cookie.
  • The strict-secure attribute is not implemented consistently across browsers and frameworks.
  • The synchronizer token pattern is not effective against same-site attackers.
  • The RFC 6265bis standard does not provide sufficient guidance on cookie security.
  • Most web frameworks and applications are still vulnerable to cookie-based attacks.
  • Implementing security measures such as HSTS and HTTPS can help mitigate cookie-based attacks.
  • Web developers and framework developers need to prioritize cookie security and implement robust security measures to protect against attacks.

More talks

Don't Trust Anything! Real-world Uses For WebAssembly • Katie Bell • YOW! 2023

Philipp Krenn - Open Policy Agent: security for cloud natives and everyone else

State of the Go Nation! - Cameron Balahan

When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM 0-Day Vulnerability

Security in Drupal: what can go wrong?

BingBang: Hacking Bing.com (and much more) with Azure Active Directory

Passwords are so 1990 - Sam Bellen - PHP UK 2022

Hooman Beheshti – Why you should be expecting more from the network edge