Name: Your Localhost Is Lying to You: Trust Boundary Failures in Enterprise SSO
Start: 2026-06-26T10:30:00+0200
End: 2026-06-26T11:15:00+0200

Your Localhost Is Lying to You: Trust Boundary Failures in Enterprise SSO

Friday June 26, 2026 10:30am - 11:15am CEST

Hall G2 (Level -2)

When an attacker lands on a user’s machine, your SSO should not hand them the keys to your network. Yet many enterprise systems do because they assume localhost subdomains are safe. They are not.

This talk shows how a common DNS misconfiguration (localhost.target.com → 127.0.0.1), combined with domain-wide cookies (Domain=.target.com), allows a locally executed request context to inherit an authenticated session. No XSS. No phishing. Just browser-native behavior.

This flaw is rarely detected by scanners or standard penetration tests, yet it appears in real enterprise deployments today. The session presents a practical testing methodology, a defensive checklist, and research-based validation techniques to assess this class of trust boundary failure safely.

Attendees will leave able to identify and fix this issue in their own SSO deployments next week.

Speakers

Rupesh Kumar

Application Security Researcher | Red Team Practitioner

Rupesh Kumar is an offensive security researcher with 1.5 years of experience in web application testing, vulnerability research, and red team operations. He has reported critical and high-severity vulnerabilities to organizations across government, defense, healthcare, and critical... Read More →

Friday June 26, 2026 10:30am - 11:15am CEST
Hall G2 (Level -2)

Testing

Audience Intermediate

OWASP Global AppSec EU 2026 Vienna

Rupesh Kumar

Get help with the event

OWASP Global AppSec EU 2026 Vienna

Rupesh Kumar

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Get help with the event