cookieMOnstruo: hijacking the social login presented at Hackmiami 2017

by Martin Von Knobloch,

Summary : With this talk, we want to revive the interest in the largely ignored method of web application account compromise through cookie stealing, by introducing a new powershell module "CookieMonstruo", which aims to be the default post-exploitation tool for session hijacking. Through the use of this tool we will show the implications of lax session management controls in web applications, especially the ones providing a social login functionality. What are the possibilities after session hijacking has been achieved? Password reset? Account compromised? Money transferred? By the end, we should convince you that cookies can sometimes be a more interesting loot than passwords.