DeepSec2015 Talk: Hacking Cookies in Modern Web Applications and Browsers – a short Interview with Dawid Czagan
You don’t have to be the cookie monster to see cookies all around us. The World Wide Web is full of it. Make sure not to underestimate their impact on information security. Dawid Czagan will tell you why.
1) Please tell us the top 5 facts about your talk.
The following topics will be presented:
– cookie related vulnerabilities in web applications
– insecure processing of secure flag in modern browsers
– bypassing HttpOnly flag and cookie tampering in Safari
– problem with Domain attribute in Internet Explorer
– underestimated XSS via cookie
– and more
2) How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I noticed that cookie related problems are underestimated. People claim, for example, that XSS via cookie requires local access to machine of the victim, but it is not true (a number of remote attacks is possible). Developers tend to forget that multi-factor authentication does not help if cookies are insecurely processed. Quite many things can go wrong. There are also problems with secure cookie processing in different browsers and RFC 6265 (cookie processing is described in this RFC and modern browsers rely on this document).
3) Why do you think this is an important topic?
Since cookies store sensitive data (session ID, CSRF token, etc.), they are interesting from an attacker’s point of view. As it turns out, quite many web applications (including sensitive ones like Bitcoin platforms) have cookie related vulnerabilities, that lead, for example, to user impersonation, remote cookie tampering, XSS and more. Moreover, there are problems with the secure processing of cookies in modern browsers. That’s why secure cookie processing (from the perspective of web application and browser) is a subject worth discussing.
4) Is there something you want everybody to know – some good advice for our readers maybe?
If readers want to play at DeepSec 2015 with authentic, award-winning web application bugs (including cookie hacks) identified in some of the greatest companies (Google, Yahoo, Mozilla, Twitter, …), then don’t hesitate and register for my training “Hacking Web Applications – Case Studies of award-winning bugs in Google, Yahoo, Mozilla and more”. More information about the training can be found in the detailed training description.
5) A prediction for the future – What do you think will be the next innovations or future downfalls when it comes to your particular field of expertise / the topic of your talk?
Security engineers/researchers should educate development teams, cooperate with browser vendors and discuss/improve RFC 6265 to make cookie processing more secure.
Dawid Czagan has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing. Dawid shares his security bug hunting experience in his hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles (InfoSec Institute). To find out about the latest in Dawid’s work, you are invited to visit his blog and follow him on Twitter.