[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: a changing network security landscape is difficult for even the biggest tech companies to wrestle with

coderman wrote on 14.09.2007 06:39:
> On 9/13/07, scar <scar@xxxxxxxxxx> wrote:
>> ...
>> so, if we are using a website that uses HTTPS, but, in firefox, for
>> example, in the cookies list under that website it shows "Send
>> for: any type of connection", then the session is vulnerable?
> vulnerable against a MITM that can request / inject an HTTP page,
> frame, or item to the site.  this would expose the auth cookie and
> allow hijacking of the account.
> for solely passive monitoring, as long as everything is HTTPS it will
> be protected. <snip>

Unfortunately, the problem is bigger than that. Suppose a website that
stores user_login+hashed_password an as authentication token in a cookie
not marked as "secure (SSL only) cookie". If, even accidentally, our
user browses to that site by means of an open HTTP, his browser will
transfer this stored cookie in a standard GET request and make it
susceptible to passive sniffering. Now the attacker can trivially pass
the same cookie data to the website and hijack user's account.

SATtva | security consulting
www.vladmiller.info | www.pgpru.com

Attachment: signature.asc
Description: OpenPGP digital signature