MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: Surf Jacking. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Surf Jacking
by Acidus at 1:21 pm EDT, Aug 14, 2008

Side Jacking: When websites use HTTP I can passively monitor network traffic and see your cookies. That's just Bretarded

Surf Jacking: If developers designed an SSL site poorly, by a HIJACKING A LOWER NETWORK LAYER I can actively force your browser to reveal its cookies, even if your are using SSL. Pretty cool, but limited.

So there is a design flaw in HTTP state management that some folks might not know about: Developers, not the protocol, make the decision about whether cookies should be served over both secure and insecure connections. And as we know developers typically choose poorly when it comes to security.

Crux of paper: If I hijack a lower network layer I inject HTTP responses to non-SSL requests that force the browser to send its cookies for a site over a non-SSL connection, where anyone (read me) monitoring the traffic can see the session ID.

And thats the problem. If you can hijack network sessions HTTP cookie theft is a fairly tame thing to do. For example, just MITM a victim when they first try to connect to the secure site. 99.5% of users ignore broken SSL certs anyway. And this works against site's with rotating session ids where surf jacking would not.

In short, nifty trick, but high barriers that, if passable, let you do way worse things then what this paper describes.

RE: Surf Jacking
by kuza55 at 6:01 am EDT, Aug 15, 2008

Acidus wrote:
If you can hijack network sessions HTTP cookie theft is a fairly tame thing to do. For example, just MITM a victim when they first try to connect to the secure site. 99.5% of users ignore broken SSL certs anyway. And this works against site's with rotating session ids where surf jacking would not.

It is fairly tame, but the tool is very nice and easy to use, and while it's a well known issue it's always nice to be able to pull out an easy-to-use tool when nothing else is working and your victim is somewhat security concious.

RE: Surf Jacking
by Acidus at 3:35 pm EDT, Aug 15, 2008

kuza55 wrote:
Acidus wrote:
If you can hijack network sessions HTTP cookie theft is a fairly tame thing to do. For example, just MITM a victim when they first try to connect to the secure site. 99.5% of users ignore broken SSL certs anyway. And this works against site's with rotating session ids where surf jacking would not.
It is fairly tame, but the tool is very nice and easy to use, and while it's a well known issue it's always nice to be able to pull out an easy-to-use tool when nothing else is working and your victim is somewhat security concious.

Word. The tool is *very* sexy. I like that it doubles as both a capture tool and as a proxy to utilize the stolen tokens.