Token Up: Keeping Hands out of the Cookie Jar

Monday, October 28, 2019 - 4:00 pm4:45 pm

Erin Browning, Latacora


Even in these modern times, we still trade credentials for authentication or session tokens. In typical applications, session tokens received on the client side are stored in either the browser's local storage or as cookies. As an attacker, I want to steal a user's auth token, hijack their session and then take over their account. The browser and a naive user are good attack vectors. We’ll run through how to architect your website to take advantage of various browser-based protections that reduce the impact of common attacks, such as cross-site scripting and privilege escalation.

Erin Browning, Latacora

Erin Browning is a senior security engineer at Latacora. She focuses on application and Android security and has an interest in cryptography. She loves cats and puns. You can find her on twitter @efrowning.

@conference {240810,
author = {Erin Browning},
title = {Token Up: Keeping Hands out of the Cookie Jar},
year = {2019},
address = {Portland, OR},
publisher = {{USENIX} Association},
month = oct,