Cookie Replay Attacks - PowerPoint PPT Presentation

1 / 8
About This Presentation
Title:

Cookie Replay Attacks

Description:

Small piece of information stored in client. system ... through sniffing. Ravi Gopal (ravigopalt_at_gmail.com) Cookie - In Security Perspective ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 9
Provided by: nul2
Category:

less

Transcript and Presenter's Notes

Title: Cookie Replay Attacks


1
Cookie Replay Attacks
Combined OWASP and null meet Bangalore 05-Septemb
er -2009
Ravi Gopal (ravigopalt_at_gmail.com)
2
On the way
  • Cookie-Snapshot
  • Cookie - In Security Perspective
  • Live demonstration of replaying the Gmail
  • cookie

Ravi Gopal (ravigopalt_at_gmail.com)
3
Cookie-Snapshot
  • What it is?
  • Small piece of information stored in client
  • system
  • Transferred back and forth between Server and
  • browser
  • Keeps the state of the session active

Ravi Gopal (ravigopalt_at_gmail.com)
4
Cookie-Snapshot
  • How it works?
  • Browser requests a page on server
  • Then server sends back a cookie with the
  • requested page to the browser
  • The browser sends the cookie to the server
  • with subsequent requests
  • Point to be noted that the user will be
  • identified by the server exclusively on the
  • cookie that is returned

Ravi Gopal (ravigopalt_at_gmail.com)
5
Cookie-Snapshot
  • Cookie- Types
  • Few cookies will be destroyed after a specific
  • expiration time - persistent cookie
  • Few Cookies will be destroyed when the
  • browser is closed - transient cookie or session
  • cookie

Ravi Gopal (ravigopalt_at_gmail.com)
6
Cookie - In Security Perspective
  • Cookie related attacks
  • Cookie Poisoning
  • Tampering or changing the cookie
  • Relatively difficult to construct the cookie
  • similar to the original one
  • The difficulty depends on the complexity of
    cookie generation mechanism
  • Cookie Replay
  • Simply reuse a valid cookie
  • Relatively simple to get a valid cookie
  • through sniffing

Ravi Gopal (ravigopalt_at_gmail.com)
7
Cookie - In Security Perspective
  • Possible preventive measures
  • Use HTTPs while browsing (If secure cookie is
  • implemented)- First level defense in depth
  • Cookie Life time- Be strict in giving age to
    cookie
  • Secure Cryptography Dont innovate, use
  • existing best proven
  • Persistent Cookie- Avoid it

Ravi Gopal (ravigopalt_at_gmail.com)
8
Thank you
For step-by-step procedure of Gmail cookie replay
attack please visit my blog www.ravigopalt.blogspo
t.com
Ravi Gopal T ravigopalt_at_gmail.com
Write a Comment
User Comments (0)
About PowerShow.com