Session Identifier are for Now, Passwords are Forever - XSS-Based Abuse of Browser Password Managers
Offered By: Black Hat via YouTube
Course Description
Overview
Explore the vulnerabilities of browser-based password managers and their susceptibility to Cross-site Scripting (XSS) attacks in this comprehensive Black Hat conference talk. Learn how XSS can be leveraged to access and leak stored passwords, despite protective measures like HTTPonly Cookies. Examine the current generation of password managers across major browsers, and discover findings from a large-scale study on password field usage in popular websites. Gain valuable insights into attack patterns, security considerations, and receive recommendations for both website operators and users to safeguard against these threats. Delve into topics such as the Same-Origin Policy, types of XSS, HTML5 autocomplete, and proposed solutions to enhance password manager security.
Syllabus
Intro
Browser choices
The Same-Origin Policy
XSS - the underlying problem
XSS - what an attacker can do
Types of XSS
Isn't XSS so 2010?
Passwords on the Web
Solution: A Password Manager
Password Managers and XSS
Security Considerations
Five key features of PW Managers
HTML5 autocomplete
Our notion vs. Google's notion
What are login forms like out there?
Analysis of Web password fields
Similar attacker model
Comparing the attacks
Bottom line
Mismatch in notion/implementations
Our proposed solution
Constraints for this approach
PoC Implementation
Functional evaluation
What to take away!
Taught by
Black Hat
Related Courses
Web Security: Same-Origin PoliciesLinkedIn Learning Client-Side Protection Against DOM-Based XSS Done Right
OWASP Foundation via YouTube CSP Pitfalls and Gotchas
OWASP Foundation via YouTube The "Web/Local" Boundary Is Fuzzy - A Security Study of Chrome's Process-based Sandboxing
Association for Computing Machinery (ACM) via YouTube Browsers Gone Wild
Black Hat via YouTube