BHIS | Stopping Webapp Attacks With Cookies | BB King | 1 Hour

Описание к видео BHIS | Stopping Webapp Attacks With Cookies | BB King | 1 Hour

Join us in the Black Hills InfoSec Discord server here:   / discord   to keep the security conversation going!

Learn modern webbapp pentesting with BB King from Antisyphon
Training: https://www.antisyphontraining.com/mo...

0:00:00 - FEATURE PRESENTATION: Stopping Attacks with Cookies
0:00:47 - What We'll Cover
0:01:37 - Theory vs. Practice
0:02:12 - Cookies: A Brief Review
0:02:17 - HTTP Is Stateless
0:02:58 - Browser-Side Storage Opportunities
0:05:58 - Ambient Authority - Why CSRF Works
0:07:13 - Cross Site Request Forgery (CSRF)
0:08:28 - OWASP Illustrates CSRF
0:10:49 - CSRF Attacker
0:12:03 - CSRF Defense
0:13:24 - New(ish) Cookie Flags That Help Mitigate CSRF
0:16:50 - Set-Cookie Header in the Wild
0:18:08 - Using the Cookie: Just the Name and Value
0:18:55 - Does CSRF Require Authentication?
0:19:26 - Does CSRF Require Cookies?
0:19:53 - Life Moves Fast: Total Cookie Protection
0:21:42 - Demo Time! SameSite Parameter
0:30:47 - End Demo / Follow Along at Home
0:31:05 - CSRF Defense: Omitting the Cookie
0:31:55 - What About APIs?
0:35:28 - Can You CSRF an API Endpoint? (No)
0:37:24 - Can You CSRF an API Endpoint? (Sometimes, Yes)
0:39:00 - One More Thing / Full Disclosure
0:40:28 - THE END
0:41:05 - Q&A

Description: BB King is here on this Black Hills Webcast to talk about HTTP cookies, cross site request forgery (CSRF) and cookies flags that can help mitigate CSRF problems.

Black Hills Infosec Socials
Twitter:   / bhinfosecurity  
Mastodon: https://infosec.exchange/@blackhillsi...
LinkedIn:   / antisyphon-training  
Discord:   / discord  

Black Hills Infosec Shirts & Hoodies
https://spearphish-general-store.mysh...

Black Hills Infosec Services
Active SOC: https://www.blackhillsinfosec.com/ser...
Penetration Testing: https://www.blackhillsinfosec.com/ser...
Incident Response: https://www.blackhillsinfosec.com/ser...

Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: https://www.backdoorsandbreaches.com/
Play B&B Online: https://play.backdoorsandbreaches.com/

Antisyphon Training
Pay What You Can: https://www.antisyphontraining.com/pa...
Live Training: https://www.antisyphontraining.com/co...
On Demand Training: https://www.antisyphontraining.com/on...

Educational Infosec Content
Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/
Wild West Hackin' Fest YouTube:    / wildwesthackinfest  
Active Countermeasures YouTube:    / activecountermeasures  
Antisyphon Training YouTube:    / antisyphontraining  

Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/

References & Resources:
Modern Webapp Pentesting Course
https://www.antisyphontraining.com/mo...

Ambient Authority & CSRF (IEFT)
https://datatracker.ietf.org/doc/html...

Cross Site Request Forgery (CSRF) (OWASP)
https://owasp.org/www-community/attac...

XKCD - Random Number
https://xkcd.com/221

Firefox rolls out Total Cookie Protection by default to all users worldwide
https://blog.mozilla.org/en/products/...

Cookies: HTTP State Management Mechanism
https://httpwg.org/http-extensions/dr...

Twitter API v2 calls
https://developer.twitter.com/apitool...

Learning Tools from PortSwigger (Burp Suite):
Web Security Academy: https://portswigger.net/web-security
Burp Suite Pro Video Tutorials: https://portswigger.net/burp/pro/vide...
Burp Suite Certified Practitioner ($) https://portswigger.net/web-security/...

Комментарии

Информация по комментариям в разработке

Похожие видео