cookie replay attacks n.
Skip this Video
Loading SlideShow in 5 Seconds..
Cookie Replay Attacks PowerPoint Presentation
Download Presentation
Cookie Replay Attacks

play fullscreen
1 / 8
Download Presentation

Cookie Replay Attacks - PowerPoint PPT Presentation

brie
164 Views
Download Presentation

Cookie Replay Attacks

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Cookie Replay Attacks Combined OWASP and null meet Bangalore 05-September -2009 Ravi Gopal (ravigopalt@gmail.com)

  2. On the way • Cookie-Snapshot • Cookie - In Security Perspective • Live demonstration of replaying the Gmail • cookie Ravi Gopal (ravigopalt@gmail.com)

  3. Cookie-Snapshot • What it is? • Small piece of information stored in client • system • Transferred back and forth between Server and • browser • Keeps the state of the session active Ravi Gopal (ravigopalt@gmail.com)

  4. Cookie-Snapshot • How it works? • Browser requests a page on server • Then server sends back a cookie with the • requested page to the browser • The browser sends the cookie to the server • with subsequent requests • Point to be noted that the user will be • identified by the server exclusively on the • cookie that is returned Ravi Gopal (ravigopalt@gmail.com)

  5. Cookie-Snapshot • Cookie- Types • Few cookies will be destroyed after a specific • expiration time - persistent cookie • Few Cookies will be destroyed when the • browser is closed - transient cookie or session • cookie Ravi Gopal (ravigopalt@gmail.com)

  6. Cookie - In Security Perspective • Cookie related attacks • Cookie Poisoning • Tampering or changing the cookie • Relatively difficult to construct the cookie • similar to the original one • The difficulty depends on the complexity of cookie generation mechanism • Cookie Replay • Simply reuse a valid cookie • Relatively simple to get a valid cookie • through sniffing Ravi Gopal (ravigopalt@gmail.com)

  7. Cookie - In Security Perspective • Possible preventive measures • Use HTTPs while browsing (If secure cookie is • implemented)- First level defense in depth • Cookie Life time- Be strict in giving age to cookie • Secure Cryptography: Don’t innovate, use • existing best proven • Persistent Cookie- Avoid it Ravi Gopal (ravigopalt@gmail.com)

  8. Thank you For step-by-step procedure of Gmail cookie replay attack please visit my blog www.ravigopalt.blogspot.com Ravi Gopal T ravigopalt@gmail.com