[Full-disclosure] Surf Jack - HTTPS will not save you
Sandro Gauci
sandro at enablesecurity.com
Mon Aug 11 12:03:01 BST 2008
Say hello to a new security tool called "Surf Jack" which demonstrates
a security flaw found in various public sites. The proof of concept
tool allows testers to steal session cookies on HTTP and HTTPS sites
that do not set the Cookie secure flag.
Tool: http://surfjack.googlecode.com/
Short paper: http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
Screencast: http://www.vimeo.com/1507697
This research was done independently from Mike Perry's[1], but it
appears to be effectively the same thing.
[1] https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
--
Sandro Gauci
EnableSecurity
Web: http://enablesecurity.com/
Full-Disclosure is hosted and sponsored by Secunia.