BHIS | Stopping Webapp Attacks With Cookies | BB King | 1 Hour

2.810 Lượt nghe
00:00
Update Required To play the media you will need to either update your browser to a recent version or update your Flash plugin.
Tải MP3
MÔ TẢ MP3TIẾP THEO
BHIS | Stopping Webapp Attacks With Cookies | BB King | 1 Hour
Join us in the Black Hills InfoSec Discord server here: https://discord.gg/BHIS to keep the security conversation going! 

Learn modern webbapp pentesting with BB King from Antisyphon 
Training: https://www.antisyphontraining.com/modern-webapp-pentesting-w-bb-king/

0:00:00 - FEATURE PRESENTATION: Stopping Attacks with Cookies 
0:00:47 - What We'll Cover 
0:01:37 - Theory vs. Practice 
0:02:12 - Cookies: A Brief Review 
0:02:17 - HTTP Is Stateless 
0:02:58 - Browser-Side Storage Opportunities 
0:05:58 - Ambient Authority - Why CSRF Works 
0:07:13 - Cross Site Request Forgery (CSRF) 
0:08:28 - OWASP Illustrates CSRF 
0:10:49 - CSRF Attacker 
0:12:03 - CSRF Defense 
0:13:24 - New(ish) Cookie Flags That Help Mitigate CSRF 
0:16:50 - Set-Cookie Header in the Wild 
0:18:08 - Using the Cookie: Just the Name and Value 
0:18:55 - Does CSRF Require Authentication? 
0:19:26 - Does CSRF Require Cookies? 
0:19:53 - Life Moves Fast: Total Cookie Protection 
0:21:42 - Demo Time! SameSite Parameter 
0:30:47 - End Demo / Follow Along at Home 
0:31:05 - CSRF Defense: Omitting the Cookie  
0:31:55 - What About APIs? 
0:35:28 - Can You CSRF an API Endpoint? (No) 
0:37:24 - Can You CSRF an API Endpoint? (Sometimes, Yes) 
0:39:00 - One More Thing / Full Disclosure 
0:40:28 - THE END 
0:41:05 - Q&A 

Description: BB King is here on this Black Hills Webcast to talk about HTTP cookies, cross site request forgery (CSRF) and cookies flags that can help mitigate CSRF problems. 

Black Hills Infosec Socials 
Twitter: https://twitter.com/BHinfoSecurity 
Mastodon: https://infosec.exchange/@blackhillsinfosec 
LinkedIn: https://www.linkedin.com/company/antisyphon-training 
Discord: https://discord.gg/ffzdt3WUDe 

Black Hills Infosec Shirts & Hoodies 
https://spearphish-general-store.myshopify.com/collections/bhis-shirt-collections 

Black Hills Infosec Services 
Active SOC: https://www.blackhillsinfosec.com/services/active-soc/ 
Penetration Testing: https://www.blackhillsinfosec.com/services/ 
Incident Response: https://www.blackhillsinfosec.com/services/incident-response/ 

Backdoors & Breaches - Incident Response Card Game 
Backdoors & Breaches: https://www.backdoorsandbreaches.com/ 
Play B&B Online: https://play.backdoorsandbreaches.com/ 

Antisyphon Training 
Pay What You Can: https://www.antisyphontraining.com/pay-what-you-can/ 
Live Training: https://www.antisyphontraining.com/course-catalog/ 
On Demand Training: https://www.antisyphontraining.com/on-demand-course-catalog/ 

Educational Infosec Content 
Black Hills Infosec Blogs: https://www.blackhillsinfosec.com/blog/ 
Wild West Hackin' Fest YouTube: https://www.youtube.com/wildwesthackinfest 
Active Countermeasures YouTube: https://youtube.com/activecountermeasures 
Antisyphon Training YouTube: https://www.youtube.com/antisyphontraining 

Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: https://wildwesthackinfest.com/ 

References & Resources:
Modern Webapp Pentesting Course 
https://www.antisyphontraining.com/modern-webapp-pentesting-w-bb-king/  

Ambient Authority & CSRF (IEFT) 
https://datatracker.ietf.org/doc/html/draft-ietf-httpstate-cookie-23#section-8.2  

Cross Site Request Forgery (CSRF) (OWASP) 
https://owasp.org/www-community/attacks/csrf  

XKCD - Random Number 
https://xkcd.com/221  

Firefox rolls out Total Cookie Protection by default to all users worldwide 
https://blog.mozilla.org/en/products/firefox/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/  

Cookies: HTTP State Management Mechanism 
https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html  

Twitter API v2 calls 
https://developer.twitter.com/apitools/api?endpoint=%2F2%2Ftweets%2F%7Bid%7D&method=delete  

Learning Tools from PortSwigger (Burp Suite): 
Web Security Academy: https://portswigger.net/web-security  
Burp Suite Pro Video Tutorials: https://portswigger.net/burp/pro/video-tutorials  
Burp Suite Certified Practitioner ($) https://portswigger.net/web-security/certification					
BHIS | Stopping Webapp Attacks With Cookies | BB King | 1 Hour

Nhạc Theo Chủ Đề

Liên kết website
