How Easy Are Session Tokens To Copy & How Do You Defend?

preview_player
Показать описание
Connecting With Us
---------------------------------------------------

Lawrence Systems Shirts and Swag
---------------------------------------------------

AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store

UniFi Affiliate Link

All Of Our Affiliates that help us out and can get you discounts!

Gear we use on Kit

Use OfferCode LTSERVICES to get 10% off your order at

Digital Ocean Offer Code

HostiFi UniFi Cloud Hosting Service

Protect you privacy with a VPN from Private Internet Access

Patreon

⏱️ Time Stamps ⏱️
00:00 Stealing Session Tokens
01:04 How To See and Copy Tokens
03:36 Defending Against Session Token Stealing

#security #hacking
  1. Lawrence Systems
  2. LawrenceSystems
  3. Session Tokens
  4. web security
  5. session cookies
  6. id tokens
Рекомендации по теме
How Easy Are 0:09:06

How Easy Are Session Tokens To Copy & How Do You Defend?

Session vs Token 0:02:18

Session vs Token Authentication in 100 Seconds

Difference between cookies, 0:11:53

Difference between cookies, session and tokens

Session Vs JWT: 0:07:00

Session Vs JWT: The Differences You May Not Know!

'Basic Authentication' in 0:05:07

'Basic Authentication' in Five Minutes

JSON Web tokens 0:14:14

JSON Web tokens vs sessions for authentication | should you use JWTs as session tokens?

Stop using JSON 0:23:33

Stop using JSON Web Tokens. Use Cookies & Server Sessions instead

JSON Web Tokens 0:05:13

JSON Web Tokens (JWTs) vs Sessions Cookies : Web Authentication

MinIO Dev Security 0:09:59

MinIO Dev Security Token Service

ID Tokens VS 0:08:38

ID Tokens VS Access Tokens: What's the Difference?

How Does JWT 0:11:27

How Does JWT Authentication Work? (JSON Web Token) | Tokens vs Sessions

Token vs Session 0:15:19

Token vs Session Authentication | Authentication Explained!!!

JSON Web Token 0:06:30

JSON Web Token Hacking

JWT token vs 0:10:25

JWT token vs Server Tokens

JSON Web Tokens 0:52:51

JSON Web Tokens Suck - Randall Degges (DevNet Create 2018)

Authentication on the 0:37:05

Authentication on the Web (Sessions, Cookies, JWT, localStorage, and more)

What is HTTP? 0:11:06

What is HTTP? || Cookies, Sessions and Tokens

OAuth 2.0 access 0:03:07

OAuth 2.0 access tokens explained

Session Token in 0:01:41

Session Token in Url leads to Session Fixation | Moneytree [ Duplicate ]

JWTs are insecure 0:09:29

JWTs are insecure session tokens

What is JWT 0:05:13

What is JWT ? JSON Web Token Explained

textpattern-4.8.8 Session token 0:04:28

textpattern-4.8.8 Session token in URL Vulnerability

$200 Bounty | 0:02:16

$200 Bounty | Sensitive Session Token in URL | BugBounty | Tunebat com| POC

AWS Security Token 0:09:12

AWS Security Token Service: A Practical Tutorial

Комментарии
Автор

Defender is excellent, but it's only Achilles heel is that it relies heavily on the cloud intelligence. If the endpoint gets a virus when not connected to the internet (say using a USB key on a plane) then Defender is basically the world's stupidest antivirus. This has been tested extensively by the PC security channel and by others. Of course, it's a rare scenario for most users but it's still important to consider.

ifneeded
Автор

why does this channel not have more subscribers! great content keep it up 👍

sammo
Автор

Great info! I would add settings for session revocation is important. On our balance of convivence vs annoyance we have user sessions expire in 12 hours on O365/Azure integrated logins when using a browser and use a PAM solution to rotate passwords/keys for priv accounts :)

Wilarico
Автор

Thanks Tom. Again easy to understand and great commentary.

micromark
Автор

This is awesome, spreading the knowledge to the tech community to inform, educate and help implement best practice solutions to mitigate risk. Looks Like Linus TT needs to make use of your services to review their systems, a collaborative Video perhaps. Great work.

richardwatkins
Автор

Dang! Conceptually I understood how cookie stealing worked, but I didn’t realize how easy it was to do!

notreallyme
Автор

Tom, this was a great video. The tips at the end really help and the last tip changed my mind.

iamtemo
Автор

I have a workflow where at least for some admin, I'll spin up the windows sandbox, do the work, and close it off. There are things that won't work in that flow, but its a useful one to try and see where you can make use of.

AdmVrln
Автор

Got my facebook account hacked yesterday, I was able to recover it & now I'm doing my research on how to stay safe, thank you Lawrence!

danizugrav
Автор

Seems like we need to have some kind of token authentication system (used when the associated token suddenly comes from another IP address, for example). Maybe the client's TPM could do a secure key exchange with the server at the initial sign on to be able to periodically reauthenticate and make sure that token is only being used by the originating device. It wouldn't completely eliminate the threat of a compromised device, but all attacks would have to come through _that_ device and couldn't be from any random machine on the Internet.

seanpalmer
Автор

This is awesome, spreading the knowledge to the tech community to inform, educate and help implement best practice solutions to mitigate risk. Looks Like Linus TT needs to make use of your services to review their systems, a collaborative Video perhaps. Gre..
at work sorry I just have to move the mice around so I looked like a 1337 hacker dude, most of the industry expert already moved on to against saving passwords with daily image restore on all their machines.... sessions was killed with cookie delete addon on firefox.

Logging inn is fucking annoying that's why the most crucial software that might hold the credential is on a 15 min timer, while every other login in permanent... except for cookies that are allowed 2 hour..

Every morning IT loads a image to our computers, every morning+1 minute every hour a scrip makes sure nobody is that dumb.

svampebob
Автор

I use the extension cookie auto delete that deletes cookies upon leaving/changing the domain or closing a tab. I can’t remember how I did this, but I put exceptions in place so it doesn’t ask for my 2FA codes every time, but it does ask for my password every time I go to the sites. But now you’re making me worry about trusting the extension since it has access to my cookies…

notreallyme
Автор

Could web browsers not encrypt their offline storage on disk? Though I suppose that would involve the user having to enter a passphrase or something when it was launched.

Even so, would be a nice option to have.

mtuk
Автор

This is really only a "surface" look on this whole matter, since a theoretical attack would be from another IP entirely with the same token. I'm more interested in how this would behave if you were to suddenly have another IP, potentially from the same country via a VPN tho, and if platforms like Google, Twitter and Co. would recognize this sudden weird change.

EpicLPer
Автор

does using firefox multi container help midigate stuff like that

louisshade
Автор

Why when you hit sign out it did not delete that token ?

lathanbagley
Автор

Thank you so much for this video. May i ask if i signed out of an account then re signed in again, will the saved session token for this site on the browser be refreshed with new a one ? TIA

Mohamedahmed-jzxd
Автор

Hi, is this possible with all sites like for example office 365?

bartjanssens
Автор

I've opted not to even keep cookies in my browsers. There's no point for me to have a session active if I'm not actively on the page. Leaves you open for attack.

GeorgeG
Автор

Would something like azure ad conditional access be used to mitigate this by only allowing certain public ip's to login, or be using an intune device, or do these conditional access rules only kick in during authentication and once a token is assigned it can bypass conditional access?

abe