Client-Side HTTP Cookie Security: Attack and Defense

Presented at DEF CON 22 (2014), Aug. 8, 2014, 2 p.m. (60 minutes).

HTTP cookies are an important part of trust on the web. Users often trade their login credentials for a cookie, which is then used to authenticate subsequent requests. Cookies are valuable to attackers: passwords can be fortified by two-factor authentication and "new login location detected" emails, but session cookies typically bypass these measures. This talk will explore the security implications of how popular browsers store cookies, ways in which cookies can be stolen, and potential mitigations.


Presenters:

  • David Wyde - Software engineer, Cisco
    David Wyde is a security researcher at Cisco Systems, with a background in web application development. His favorite type of cookie is double chocolate chip, but HTTP cookies are a close second. When he's not working with software, he enjoys playing chess, dodgeball, ping pong, and N64 Super Smash Bros. Website: http://davidwyde.com

Links:

Similar Presentations: