coderman wrote on 14.09.2007 06:39: > On 9/13/07, scar <scar@xxxxxxxxxx> wrote: >> ... >> so, if we are using a website that uses HTTPS, but, in firefox, for >> example, in the cookies list under that website it shows "Send >> for: any type of connection", then the session is vulnerable? > > vulnerable against a MITM that can request / inject an HTTP page, > frame, or item to the site. this would expose the auth cookie and > allow hijacking of the account. > > for solely passive monitoring, as long as everything is HTTPS it will > be protected. <snip> Unfortunately, the problem is bigger than that. Suppose a website that stores user_login+hashed_password an as authentication token in a cookie not marked as "secure (SSL only) cookie". If, even accidentally, our user browses to that site by means of an open HTTP, his browser will transfer this stored cookie in a standard GET request and make it susceptible to passive sniffering. Now the attacker can trivially pass the same cookie data to the website and hijack user's account. -- SATtva | security consulting www.vladmiller.info | www.pgpru.com
Attachment:
signature.asc
Description: OpenPGP digital signature