BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:Insecure processing of cookies in modern web applications and brow sers - Dawid Czagan\, Silesia Security Lab DTSTART:20150602T133000Z DTEND:20150602T143000Z UID:TALK59094@talks.cam.ac.uk CONTACT:Laurent Simon DESCRIPTION:*Abstract:*\nSince cookies store sensitive data (session ID\, CSRF token\, etc.) they\nare interesting from an attacker's point of view. As it turns out\, quite\nmany web applications (including sensitive ones like bitcoin platforms)\nhave cookie related vulnerabilities that lead for example to user\nimpersonation\, remote cookie tampering\, XSS and more.\ n\nDevelopers tend to forget that multi-factor authentication will not hel p\nwhen cookies are insecurely processed. Security evaluators underestimat e\nfor example XSS via cookie - they claim that local access is needed for \nexploitation\, but this is not always the case (browser dependent\nexplo itation can be used to launch an attack remotely). Moreover\, there\nare p roblems with secure processing of cookies in modern browsers.\n\nThat's wh y secure cookie processing (from the perspective of web\napplication and b rowser) seems to be a subject worth discussing.\n\n*Bio:*\nDawid Czagan (@ dawidczagan) has found security vulnerabilities in\nGoogle\, Yahoo\, Mozil la\, Microsoft\, Twitter\, BlackBerry and other\ncompanies. Due to the sev erity of many bugs\, he received numerous awards\nfor his findings.\n\nDaw id is founder and CEO at Silesia Security Lab\, which delivers\nspecialize d security auditing and training services. He also works as\nSecurity Arch itect at Future Processing.\n\nDawid shares his security bug hunting exper ience in his hands-on\ntraining "Hacking web applications - case studies o f award-winning bugs\nin Google\, Yahoo\, Mozilla and more". He delivered security\ntrainings/workshops at CanSecWest (Canada)\, DeepSec (Austria)\, IAESTE\nCaseWeek (Silesian University of Technology\, Poland) and for man y\nprivate companies. Dawid also published over 20 security articles\n(Inf oSec Institute\, USA).\n\nTo find out about the latest in Dawid's work\, y ou are invited to visit\nhis blog (https://silesiasecuritylab.com/blog) an d follow him on Twitter\n(@dawidczagan). LOCATION:Room FW26\, Computer Laboratory\, William Gates Building END:VEVENT END:VCALENDAR