Token Up: Keeping Hands out of the Cookie Jar

Monday, October 28, 2019 - 4:00 pm4:45 pm

Erin Browning, Latacora

Abstract: 

Even in these modern times, we still trade credentials for authentication or session tokens. In typical applications, session tokens received on the client side are stored in either the browser's local storage or as cookies. As an attacker, I want to steal a user's auth token, hijack their session and then take over their account. The browser and a naive user are good attack vectors. We’ll run through how to architect your website to take advantage of various browser-based protections that reduce the impact of common attacks, such as cross-site scripting and privilege escalation.

Erin Browning, Latacora

Erin Browning is a senior security engineer at Latacora. She focuses on application and Android security and has an interest in cryptography. She loves cats and puns. You can find her on twitter @efrowning.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@conference {240810,
author = {Erin Browning},
title = {Token Up: Keeping Hands out of the Cookie Jar},
year = {2019},
address = {Portland, OR},
publisher = {USENIX Association},
month = oct
}

Presentation Video