OWASP Ottawa Jan 21st 2026: Bypassing SameSite cookie protections in browsers
Details
Welcome to our in-Person Meetup at the University of Ottawa
In-Person Location:
150 Louis-Pasteur Private, Ottawa,
University of Ottawa
Room 117
We will continue to Live Stream on our YouTube channel. (https://www.youtube.com/@OWASP_Ottawa). Subscribe to our YouTube channel, set a reminder and you’ll get a notification as soon as we go live!
YouTube Live Stream Link: TBA!
6:00 PM EST Arrival, setup, mingle, PIZZA!!!
6:30 PM EST Technical Talks
- Introduction to OWASP Ottawa, Public Announcements.
- "SameSite... or not? Bypassing SameSite cookie protections in modern browsers" with Vincent Dragnea
Abstract:
SameSite... or not? Bypassing SameSite cookie protections in modern browsers
SameSite cookies are often relied upon too heavily to prevent cross-site request forgery, yet, due to browser implementations, these cookies can be included in unexpected requests. This talk demonstrates novel techniques to attach SameSite=Strict cookies to GET requests originating from another site, including a Google Chrome vulnerability (CVE-2025-8581) discovered while researching these methods. This material aims to help researchers identify insecure behaviours, as well as teach developers how to avoid them.
Speaker:
Vincent Dragnea is an application security consultant at Forward Security. He has 7 years of experience as a security researcher, since making the leap to cybersecurity from a software development background. Always eager to learn more, and OSWE-certified, Vincent loves to find creative exploits before they are weaponized, to make the internet a safer place.
