|![[Search]](http://talks.cam.ac.uk/images/search.gif?1209136071)
|![[A-Z Index]](http://talks.cam.ac.uk/images/az.gif?1209136071)
|![[Contact]](http://talks.cam.ac.uk/images/contact.gif?1209136071)
||![[University of Cambridge]](http://talks.cam.ac.uk/images/identifier2.gif?1209136071){kind=small} |
COOKIES: By using this website you agree that we can place Google Analytics Cookies on your device for performance monitoring. | ![[Talks.cam]](http://talks.cam.ac.uk/images/talkslogosmall.gif?1209136071) |
University of Cambridge > Talks.cam > Computer Laboratory Security Seminar > Insecure processing of cookies in modern web applications and browsers
Insecure processing of cookies in modern web applications and browsersAdd to your list(s) Download to your calendar using vCal
If you have a question about this talk, please contact Laurent Simon. Abstract: Since cookies store sensitive data (session ID, CSRF token, etc.) they are interesting from an attacker’s point of view. As it turns out, quite many web applications (including sensitive ones like bitcoin platforms) have cookie related vulnerabilities that lead for example to user impersonation, remote cookie tampering, XSS and more. Developers tend to forget that multi-factor authentication will not help when cookies are insecurely processed. Security evaluators underestimate for example XSS via cookie – they claim that local access is needed for exploitation, but this is not always the case (browser dependent exploitation can be used to launch an attack remotely). Moreover, there are problems with secure processing of cookies in modern browsers. That’s why secure cookie processing (from the perspective of web application and browser) seems to be a subject worth discussing. Bio: Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing. Dawid shares his security bug hunting experience in his hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. He delivered security trainings/workshops at CanSecWest (Canada), DeepSec (Austria), IAESTE CaseWeek (Silesian University of Technology, Poland) and for many private companies. Dawid also published over 20 security articles (InfoSec Institute, USA ). To find out about the latest in Dawid’s work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan). This talk is part of the Computer Laboratory Security Seminar series. This talk is included in these lists:
Note that ex-directory lists are not shown. |
Other listshistory CamBridgeSens Cambridge Coding Academy free tech talks Set Theory Seminar Cavendish HEP Seminars JSOCOther talksBerndt Hauptkorn: 'The Business of Luxury' Poland, Europe, Freedom: A Personal Reflection on the Last 40 Years Developing an optimisation algorithm to supervise active learning in drug discovery Child Kingship from a Comparative Perspective: Boy Kings in England, Scotland, France, and Germany, 1050-1250 HE@Cam Seminar: Christian Hill - Patient Access Scheme, Managed Access Agreements and their influence on the approval trends on new medicines, devices and diagnostics Future of Games in Engineering Education |
Dawid Czagan, Silesia Security Lab
Tuesday 02 June 2015, 14:30-15:30