Word Cookies Exploit
Lately we released an attack where an evil bad guy (or tester) could easily bypass Outlook Web Access Two Factor Authentication to gain access to sensitive emails. We were hoping to see a change in the way OWA handled authentication. Instead, we we got an email from Microsoft stating this is not an issue anyone should worry about. We also saw several posts from exchange experts saying the same thing…
But we think worrying is probably in order.
This vulnerability is built on a year of work at BHIS. From OWA domain enumeration, to user enumeration, to password enumeration to bypass it has been a slow steady build on this attack. Well, now we will do a full, step-by-step walk through of the attack, from beginning to end, to demonstrate the risk. We will also re-enforce and highlight why the OWASP top 10 are still relevant and so key to this attack.
Get the slides here:
Video Rating: / 5