Baking Your Anomalous Cookies

Presented at NolaCon 2019, May 18, 2019, 2 p.m. (Unknown duration).

I hacked Fortnite! Actually it was a vulnerable cookie found on several domains owned by Epic Games that allowed me to hijack traffic of users of their websites, steal session tokens and of course, BeEF hook em'. I will describe my journey from creating a custom cookie fuzzing tool (Anomalous Cookie) to help identify vulnerable cookies, to creating a framework for 'Cookie Baking'. Cookie Baking is the technique of creating or modifying a cookie in a users' local Cookie Jar (this includes stuffing with malicious payloads, affiliate tags, fuzz-strings and more). I will also provide insight into the Bug Bounty process, how Google responded to my request for them to protect local cookies at rest, and how I created WHID-Injected Cookies! ;)

Presenters:

• Jimi Allee   as Jim Allee
  Jimi2x has 25+ years of experience in InfoSec (Blue+Red+Purple Teaming/Security Research) and also involved in the video game industry in the 80s where much hacking took place including fuzzing, bug discovery and finding hidden codes to many popular games. Jimi2x currently works for Coalfire Labs where he spends his time as a Senior Consultant.

Links:

• https://nolacon.com/talk/baking-your-anomalous-cookies
• https://infocon.org/cons/NolaCon/NolaCon 2019/Baking Your Anomalous Cookies Jim Allee.mp4
• https://infocon.org/cons/NolaCon/NolaCon 2019/Baking Your Anomalous Cookies Jim Allee.eng.srt (subtitles)
• https://www.youtube.com/watch?v=aIwWy1liUdc

Similar Presentations:

• DEF CON 22 (2014) / Client-Side HTTP Cookie Security: Attack and Defense
• AppSec USA 2017 / Cookie Security – Myths and Misconceptions
• DeepSec 2015 „DeepSec No. 9“ / Hacking Cookies in Modern Web Applications and Browsers