Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities

Security

Discover the vulnerabilities in web session integrity and learn how to implement robust security measures to protect your application from cookie-based attacks.

Key takeaways
  • Cookies can be vulnerable to session fixation and cross-site request forgery attacks due to legacy design and implementation issues.
  • The set-cookie attribute is not secure and can be manipulated by an attacker.
  • Nameless cookies are still supported in modern browsers and can be used to bypass security restrictions.
  • The path attribute can be used to bypass host prefixes and access cookies from other domains.
  • The secure attribute is not enough to ensure cookie security, as an attacker can still overwrite the session cookie.
  • The strict-secure attribute is not implemented consistently across browsers and frameworks.
  • The synchronizer token pattern is not effective against same-site attackers.
  • The RFC 6265bis standard does not provide sufficient guidance on cookie security.
  • Most web frameworks and applications are still vulnerable to cookie-based attacks.
  • Implementing security measures such as HSTS and HTTPS can help mitigate cookie-based attacks.
  • Web developers and framework developers need to prioritize cookie security and implement robust security measures to protect against attacks.

More talks

Roc Alayo Arnabat & Sergi Rosell Ferrer - GitOps in Modern Security-Compliant Environments

Hooman Beheshti – Why you should be expecting more from the network edge

Introduction to Quarkus Security by Sergey Beryozkin

Navigating Through Programming's Greatest Mistakes • Mark Rendle & Hannes Lowette • GOTO 2023

eBPF ELFs JMPing Through the Windows

PAR: Securing the OAuth and OpenID Connect Front-Channel - Dominick Baier - NDC Security 2024

SAINTCON 2023 - Christopher Forte - Full Stack for "Hackers"

Hop on the PHP Blockchain rocket to the MOON! - Drishti Jain - PHP UK 2022