Session: If you Give a Hacker a Cookie

If you give a hacker a cookie… He’s going to inspect the cookie with a tool like OWASP ZAP. When he’s found a persistent session cookie, he might notice the SameSite or HttpOnly attributes are missing. So he will probably run a dynamic security scan using ZAP to find a cross site scripting vulnerability on a page that uses the vulnerable cookie. When the scanner finds a reflected XSS, he’ll want to execute a session hijacking attack to steal the sensitive information in the persistent cookie. He might send phishing emails containing the vulnerable URL which would execute Javascript in the user’s browser and send sensitive information back to the hacker. He might get carried away and brag about his exploit on social media thus damaging the reputation of the company. He’ll post the YouTube video of his exploit and stand back to look at it. While looking at YouTube he’ll end up watching a funny video of a cat falling asleep while drinking milk which will remind him that he’s thirsty. So… he’ll want a glass of milk. And chances are while he drinks a glass of milk, he’s going to want a cookie to go with it.

This session will cover:

  • An introduction to OIDC, Oauth and JWTs in the context of a microservices based architecture
  • A comparison of a traditional cookie-based authentication approach vs a modern JWT based design
  • Open Source OWASP Tools such as the API Security Guide, Cheat Sheets, and Testing Tools
  • Role of an API Gateway when using Cloud based Identity Providers