Truncating TLS Connections to Violate Beliefs in Web Applications

Abstract : We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application's state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts.
Type de document :
Communication dans un congrès
WOOT'13: 7th USENIX Workshop on Offensive Technologies, 2013, Washington, United States. USENIX Association, 2013
Liste complète des métadonnées

https://hal.inria.fr/hal-00863371
Contributeur : Ben Smyth <>
Soumis le : mercredi 18 septembre 2013 - 17:36:02
Dernière modification le : vendredi 25 mai 2018 - 12:02:06

Identifiants

  • HAL Id : hal-00863371, version 1

Collections

Citation

Ben Smyth, Alfredo Pironti. Truncating TLS Connections to Violate Beliefs in Web Applications. WOOT'13: 7th USENIX Workshop on Offensive Technologies, 2013, Washington, United States. USENIX Association, 2013. 〈hal-00863371〉

Partager

Métriques

Consultations de la notice

115