Full Disclosure mailing list archives
Re: Surf Jack - HTTPS will not save you
From: Noam Rathaus <noamr () beyondsecurity com>
Date: Tue, 12 Aug 2008 09:34:51 +0300
Hi, Apparently only Gmail has this feature, Google Apps site owners do not have this option in their settings tab - so they are still vulnerable to attack. On Tuesday 12 August 2008 02:37:24 coderman wrote:
On Mon, Aug 11, 2008 at 4:03 AM, Sandro Gauci <sandro () enablesecurity com>
wrote:
Say hello to a new security tool called "Surf Jack" which demonstrates a security flaw found in various public sites. The proof of concept tool allows testers to steal session cookies on HTTP and HTTPS sites that do not set the Cookie secure flag.note: Gmail now supports an account option to enforce the secure only bit on session cookies and keeps your entire gmail session on SSL. this makes attacks like this and Mike Perry's active side jacking impossible, as the session cookie is no longer sent in the clear when http:// non-SSL links are injected into browser content. to enable this feature: - at top of page select "Settings" - scroll to bottom of section for "Browser connection:" preference - select "Always use https" this will pass the Secure / secureonly option when settings the GX=... session cookie used to identify your authenticated session. this cookie will then never be sent over plain-text connections, protecting you from passive / active side jacking attacks. be sure to use a somewhat modern browser that supports secure only cookies. you can also verify correct operation with the "Live HTTP Headers" plugin for Firefox. hopefully ongoing attention and improved tools demonstrating the need for continuous SSL / secureonly session management will be adopted by all web developers and sites. (i'm not holding my breath...) best regards, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Noam Rathaus CTO noamr () beyondsecurity com http://www.beyondsecurity.com "Know that you are safe." Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Surf Jack - HTTPS will not save you Sandro Gauci (Aug 11)
- Re: Surf Jack - HTTPS will not save you coderman (Aug 11)
- Re: Surf Jack - HTTPS will not save you Noam Rathaus (Aug 12)
- Re: Surf Jack - HTTPS will not save you coderman (Aug 11)