Truncating TLS Connections to Violate Beliefs in Web ApplicationsReport as inadecuate




Truncating TLS Connections to Violate Beliefs in Web Applications - Download this document for free, or read online. Document in PDF available to download.

1 PROSECCO - Programming securely with cryptography Inria Paris-Rocquencourt

Abstract : We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application-s state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts. Update October 18, 2014. This technical report revisits our earlier work 2013 and shows that Google remain vulnerable to the attacks that we disclosed.

Keywords : Attack web applications single sign-on sign-out Microsoft TLS truncation Google exploit authentication logical flaw





Author: Ben Smyth - Alfredo Pironti -

Source: https://hal.archives-ouvertes.fr/



DOWNLOAD PDF




Related documents