| description |
Presentation:
Pitfalls of Web Session Management
Login session management in modern web applications is largely applications dominated by use of HTTP cookies. However, HTTP cookies were never designed for secure applications, which has led to a significant number of protocol security problems. In this talk, the speaker will start with a brief background on why HTTP cookies are a poorly-conceived mechanism to begin with, and continue with a discussion of how this impacts security. He will describe several lesser-known cookie-based session management problems that remain wide spread and allow for session hijacking through a variety of clever attacks.
Who: <br>
Timothy D. Morgan<br>
Principal Security Consultant - Blindspot Security LLC<br>
As an application security consultant and vulnerability researcher, Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce. His current research interests include applied cryptanalysis, IPv6 security and XML external entities attacks. Tim develops and maintains several open source forensics tools in addition to Bletchley, an application cryptanalysis toolkit.
Tim works to secure his customers' environments through black box testing, code reviews, social engineering evaluations, security training and a variety of other services. Tim earned his computer science degrees from Harvey Mudd College and Northeastern University and currently resides in Portland Oregon where he leads the local OWASP chapter
Cost:
$10 (member) / $15 (non-member) / $20 (at-the-door)
CPEs:
The ISSA meetings are appropriate for CPE credit. The chapter maintains proof of attendance for members but it is the members responsibility to ensure that these CPE's are credited to their respective accounts.
|
→ |
Presentation:
Pitfalls of Web Session Management
Login session management in modern web applications is largely applications dominated by use of HTTP cookies. However, HTTP cookies were never designed for secure applications, which has led to a significant number of protocol security problems. In this talk, the speaker will start with a brief background on why HTTP cookies are a poorly-conceived mechanism to begin with, and continue with a discussion of how this impacts security. He will describe several lesser-known cookie-based session management problems that remain wide spread and allow for session hijacking through a variety of clever attacks.
Who: <br>
Timothy D. Morgan<br>
Principal Security Consultant - Blindspot Security LLC<br>
As an application security consultant and vulnerability researcher, Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce. His current research interests include applied cryptanalysis, IPv6 security and XML external entities attacks. Tim develops and maintains several open source forensics tools in addition to Bletchley, an application cryptanalysis toolkit.
Tim works to secure his customers' environments through black box testing, code reviews, social engineering evaluations, security training and a variety of other services. Tim earned his computer science degrees from Harvey Mudd College and Northeastern University and currently resides in Portland Oregon where he leads the local OWASP chapter
Cost:
$10 (member) / $15 (non-member) / $2 (at-the-door)
CPEs:
The ISSA meetings are appropriate for CPE credit. The chapter maintains proof of attendance for members but it is the members responsibility to ensure that these CPE's are credited to their respective accounts.
|