Skip to Main content Skip to Navigation
New interface
Conference papers

Truncating TLS Connections to Violate Beliefs in Web Applications

Abstract : We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts.
Document type :
Conference papers
Complete list of metadata
Contributor : Ben Smyth Connect in order to contact the contributor
Submitted on : Wednesday, September 18, 2013 - 5:36:02 PM
Last modification on : Wednesday, April 6, 2022 - 3:48:21 PM


  • HAL Id : hal-00863371, version 1



Ben Smyth, Alfredo Pironti. Truncating TLS Connections to Violate Beliefs in Web Applications. WOOT'13: 7th USENIX Workshop on Offensive Technologies, 2013, Washington, United States. ⟨hal-00863371⟩



Record views