sponsors
usenix conference policies
Truncating TLS Connections to Violate Beliefs in Web Applications
Ben Smyth and Alfredo Pironti, INRIA Paris-Rocquencourt
We identify logical web application flaws which can be exploited by TLS truncation attacks to desynchronize the user- and server-perspective of an application’s state. It follows immediately that servers may make false assumptions about users, hence, the flaw constitutes a security vulnerability. Moreover, in the context of authentication systems, we exploit the vulnerability to launch the following practical attacks: we exploit the Helios electronic voting system to cast votes on behalf of honest voters, take full control of Microsoft Live accounts, and gain temporary access to Google accounts.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Ben Smyth and Alfredo Pironti},
title = {Truncating {TLS} Connections to Violate Beliefs in Web Applications},
booktitle = {7th USENIX Workshop on Offensive Technologies (WOOT 13)},
year = {2013},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/woot13/workshop-program/presentation/smyth},
publisher = {USENIX Association},
month = aug
}
connect with us