Learn Cookies and Tokens Security in Practice.

Related tags

Authentication and Authorization Demystifying-Cookies-and-Tokens-Security
Overview

Screen Shot 2021-08-01 at 23 04 53

  • The full article is posted on my blog.
  • The video presentation is shared here.
  • The presentation slides are shared here.
  • The exploit codes are shared here.
  • Special thanks to @YShahinzadeh for interactive dockerized labs!

Labs installation

git clone https://github.com/HolyBugx/Demystifying-Cookies-and-Tokens-Security.git
cd Demystifying-Cookies-and-Tokens-Security
docker build -t samesite . --rm
docker run --name samesite -p 80:80 -v $PWD/another-site-mainsite.lab/:/var/www/app/another -v $PWD/same-site-mainsite.lab/:/var/www/app/main -v $PWD/xyz.subdomain.same-site-mainsite.lab/:/var/www/app/sub --rm samesite

The session's attribute can be changed by modifying index.php:

session_set_cookie_params([
    'samesite' => 'Lax'
]);

Then add the following lines into the hosts file:

127.0.0.1 same-site-mainsite.lab
127.0.0.1 xyz.subdomain.same-site-mainsite.lab
127.0.0.1 another-site-mainsite.lab

Credentials

Username: security
Password: flow
You might also like...
UserFrosting is a secure, modern user management system written in PHP and built on top of the Slim Microframework, Twig templating engine, and Eloquent ORM.
UserFrosting is a secure, modern user management system written in PHP and built on top of the Slim Microframework, Twig templating engine, and Eloquent ORM.

UserFrosting is a secure, modern user management system written in PHP and built on top of the Slim Microframework, Twig templating engine, and Eloquent ORM.

UserFrosting 1.6k Jan 1, 2023
A complete Login and Register page using a Mysql Database and php
A complete Login and Register page using a Mysql Database and php

Login With Mysql A complete Login and Register page using a Mysql Database 🔨 Built with ⚙️ 📝 Description A login with Frontend, Backend and Database

Marc Medrano 1 Nov 5, 2021
Laravel Auth is a Complete Build of Laravel 8 with Email Registration Verification, Social Authentication, User Roles and Permissions, User Profiles, and Admin restricted user management system.
Laravel Auth is a Complete Build of Laravel 8 with Email Registration Verification, Social Authentication, User Roles and Permissions, User Profiles, and Admin restricted user management system.

Laravel Auth is a Complete Build of Laravel 8 with Email Registration Verification, Social Authentication, User Roles and Permissions, User Profiles, and Admin restricted user management system. Built on Bootstrap 4.

Jeremy Kenedy 2.8k Dec 31, 2022
It's a Laravel 8 authentication markdown that will help you to understand and grasp all the underlying functionality for Session and API Authentication

About Auth Starter It's a Laravel 8 authentication markdown that will help you to understand and grasp all the underlying functionality for Session an

Sami Alateya 10 Aug 3, 2022
Tech-Admin is Laravel + Bootstrap Admin Panel With User Management And Access Control based on Roles and Permissions.
Tech-Admin is Laravel + Bootstrap Admin Panel With User Management And Access Control based on Roles and Permissions.

Tech-Admin | Laravel 8 + Bootstrap 4 Tech-Admin is Admin Panel With Preset of Roles, Permissions, ACL, User Management, Profile Management. Features M

TechTool India 39 Dec 23, 2022
Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use

Introduction Laravel Passport is an OAuth2 server and API authentication package that is simple and enjoyable to use. Official Documentation Documenta

The Laravel Framework 3.1k Dec 31, 2022
A simple library to work with JSON Web Token and JSON Web Signature

JWT A simple library to work with JSON Web Token and JSON Web Signature based on the RFC 7519. Installation Package is available on Packagist, you can

LuĂ­s Cobucci 6.8k Jan 3, 2023
Provides a unified interface to local and remote authentication systems.

Aura.Auth Provides authentication functionality and session tracking using various adapters; currently supported adapters are: Apache htpasswd files S

Aura for PHP 125 Sep 28, 2022
Rinvex Authy is a simple wrapper for @Authy TOTP API, the best rated Two-Factor Authentication service for consumers, simplest 2fa Rest API for developers and a strong authentication platform for the enterprise.
Rinvex Authy is a simple wrapper for @Authy TOTP API, the best rated Two-Factor Authentication service for consumers, simplest 2fa Rest API for developers and a strong authentication platform for the enterprise.

Rinvex Authy Rinvex Authy is a simple wrapper for Authy TOTP API, the best rated Two-Factor Authentication service for consumers, simplest 2fa Rest AP

Rinvex 34 Feb 14, 2022
Owner
HolyBugx
Web Application Security Researcher & Bug Bounty Hunter
HolyBugx
GitHub
Easily define tokens and options that can be replaced in strings.

Token Replace This simple package allows you to define tokens that can be replaced in strings. Instead of a simple str_replace, Token Replace lets you

Jamie Holly 2 Dec 21, 2022
Magic admin PHP SDK makes it easy to leverage Decentralized ID tokens to protect routes and restricted resources for your application.

Magic Admin PHP SDK The Magic Admin PHP SDK provides convenient ways for developers to interact with Magic API endpoints and an array of utilities to

magiclabs 17 Jun 26, 2022
Implements a Refresh Token system over Json Web Tokens in Symfony

JWTRefreshTokenBundle The purpose of this bundle is manage refresh tokens with JWT (Json Web Tokens) in an easy way. This bundles uses LexikJWTAuthent

Marcos GĂłmez Vilches 568 Dec 28, 2022
User registration and login form with validations and escapes for total security made with PHP.

Login and Sign Up with PHP User registration and login form with validations and escapes for total security made with PHP. Validations Required fields

Alexander PĂ©rez 2 Jan 26, 2022
A package that allows secure communication between two or more projects, focused mainly for use in microservices architectures, adding the Oauth2 authorization standard in addition to security at the network level by IP addresses and whitelists, which may already be owned.

OAuth2 between Laravel projects A package that allows secure communication between two or more projects, focused mainly for use in microservices archi

DiiMO 6 Aug 30, 2022
This system will provide security and comfortable opportunities to protect your gaming account.

VK Security – Auth system VK Security provides the ability to use game authorization inside in conjunction with the official VKontakte groups. Conveni

Victor Kasko 4 Dec 21, 2022
Security Defense for Firebase's PHP-JWT Library

PHP-JWT-Guard Protect your code from being impacted by issue 351 in firebase/php-jwt. Installation First, install this library with Composer: composer

Paragon Initiative Enterprises 8 Nov 27, 2022
Open source social sign on PHP Library. HybridAuth goal is to act as an abstract api between your application and various social apis and identities providers such as Facebook, Twitter and Google.

Hybridauth 3.7.1 Hybridauth enables developers to easily build social applications and tools to engage websites visitors and customers on a social lev

hybridauth 3.3k Dec 23, 2022
PHP library to verify and validate Apple IdentityToken and authenticate a user with Apple ID.

Sign-in with Apple SDK Installation Recommended and easiest way to installing library is through Composer. composer require azimolabs/apple-sign-in-ph

Azimo Labs 79 Nov 8, 2022
PHP Client and Router Library for Autobahn and WAMP (Web Application Messaging Protocol) for Real-Time Application Messaging

Thruway is an open source client and router implementation of WAMP (Web Application Messaging Protocol), for PHP. Thruway uses an event-driven, non-blocking I/O model (reactphp), perfect for modern real-time applications.

Voryx 662 Jan 3, 2023