Surf Jack - HTTPS will not save you

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Surf Jack - HTTPS will not save you
From: lists@xxxxxxxxxxxxxxxxxx
Date: 11 Aug 2008 09:30:37 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Say hello to a new security tool called ?Surf Jack? which demonstrates a 
security flaw found in various public sites. The proof of concept tool allows 
testers to steal session cookies on HTTP and HTTPS sites that do not set the 
Cookie secure flag.

Tool: http://surfjack.googlecode.com/
Short paper: http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
Screencast: http://www.vimeo.com/1501107

This research was done independently from Mike Perry's[1], but it appears to be 
effectively the same thing. 


[1] https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry


--
Sandro Gauci
EnableSecurity
Web: http://enablesecurity.com/

Prev by Date: Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
Next by Date: Re: OpenID/Debian PRNG/DNS Cache poisoning advisory
Previous by thread: CA Host-Based Intrusion Prevention System SDK kmxfw.sys Multiple Vulnerabilities
Next by thread: Re: [funsec] Internet attacks against Georgian web sites
Index(es):
- Date
- Thread