Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities | A Conversation with Pedro Adão and Marco Squarcina | Las Vegas Black Hat 2023 Event Coverage | Redefining CyberSecurity Podcast With Sean Martin and Marco Ciappelli

Guests: Pedro Adão, Associate Professor, Instituto Superior Técnico, Universidade de Lisboa [@istecnicoOn Linkedin | https://www.linkedin.com/in/pe....dro-ad%C3%A3o-b5b792 Squarcina, Senior Scientist, TU Wien [@tu_wien]On Linkedin | https://www.linkedin.com/in/sq....uarcina/?originalSub | https://minimalblue.com/<br />____________________________Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/i....tspmagazine-podcast- Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast and Audio Signals PodcastOn ITSPmagazine | https://www.itspmagazine.com/i....tspmagazine-podcast- Episode’s SponsorsIsland.io | https://itspm.ag/island-io-6b5....ffd_________________ NotesIn this Chats on the Road to Black Hat USA, hosts Sean and Marco are joined by guests Pedro and Marco to explore the vulnerabilities and challenges of web security. The conversation begins with an explanation of the Double Submit and Synchronized Token patterns used to protect against CSRF (cross site request forgery) attacks. They discuss the limitations of these patterns, particularly when it comes to the integrity of cookies.The guests highlight the potential for attackers to modify cookies and the need for better solutions. The conversation then unpacks the complexities of web security, including the difficulties of maintaining backward compatibility and the challenges of multiple components and parties involved in web development, delivery, and operations. They address the importance of revising the security of subdomains and implementing security mechanisms like HSTS (HTTP strict transport security) with the inclusive domain directive.The conversation also raises philosophical questions about the responsibility of companies and the development community in addressing web security, as well as the role of legislation in this space. The group emphasizes the need for better platforms and frameworks that prioritize security from the start.The conversation concludes with a discussion on the importance of ongoing research, reporting vulnerabilities to developers, and finding solutions to improve the overall security of web applications. Listeners can expect to gain a deeper understanding of web security challenges and the ongoing efforts to address vulnerabilities and improve the security of the internet ahead of Pedro's and Marco's research presentation at Black Hat USA 2023.Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com