Skip to Main content Skip to Navigation
Conference papers

Truncating TLS Connections to Violate Beliefs in Web Applications

Abstract : We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts.
Document type :
Conference papers
Complete list of metadatas

https://hal.inria.fr/hal-00863371
Contributor : Ben Smyth <>
Submitted on : Wednesday, September 18, 2013 - 5:36:02 PM
Last modification on : Friday, May 25, 2018 - 12:02:06 PM

Identifiers

  • HAL Id : hal-00863371, version 1

Collections

Citation

Ben Smyth, Alfredo Pironti. Truncating TLS Connections to Violate Beliefs in Web Applications. WOOT'13: 7th USENIX Workshop on Offensive Technologies, 2013, Washington, United States. ⟨hal-00863371⟩

Share

Metrics

Record views

139