2025-08-05 –, Florentine E
Ever since cookies were invented 30 years ago there has been a battle to protect them from theft and abuse. Browser designers add defensive features and attackers come up with novel ways to circumvent those defenses, steal session cookies, and become a clone of their victims. This talk will speed-run that arms race, highlighting why many of the old-school defenses remain valuable. And the race is not over. We'll also step through the mechanics of Google's proposed Device Bound Session Credentials which would be game changing... if anyone else chooses to support them.
Protecting the session token may seem mundane, but personal experience has shown that developer's boredom with implementing the same old defenses ends up leading to noteworthy vulnerabilities far too often. Given the BSides audience, my goal is less about convincing the audience of the importance, as arming them with succinct statements in support of the controls they can take back to their organizations and win some battles.
The new technique to be covered, Device Bound Session Credentials, have a huge advantage over traditional session tokens in that they can't be "stolen" or at least not taken off the device (it's in the name). Of course, as with any technology, being a good one doesn't mean that it's going to be adopted. By explaining the proposed standard in detail, I hope to generate conversation around it and either contribute my small part to either its adoption or rejection if a better standard can be found.
A version of this talk was given at SaintCon 2024 (https://www.youtube.com/watch?v=Qo6KQ7SH6wo), but I plan on amping up the technical side, particularly around how the DBSC protocol actually works.
Mark Hoopes has been an Application Pentester for more than 10 years and has worked in enterprise IT for more than 20. He has presented at multiple conferences as a speaker and instructor. He was sucked into the security industry by a CTF and continues to be a strong proponent of hands-on training. He is currently a chapter leader of OWASP Boulder and the managing principal at a consultancy that specializes in... pentesting and training.