[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Surf Jack - HTTPS will not save you

To: "Full Disclosure" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Surf Jack - HTTPS will not save you
From: "Sandro Gauci" <sandro@xxxxxxxxxxxxxxxxxx>
Date: Mon, 11 Aug 2008 13:03:01 +0200

Say hello to a new security tool called "Surf Jack" which demonstrates
a security flaw found in various public sites. The proof of concept
tool allows testers to steal session cookies on HTTP and HTTPS sites
that do not set the Cookie secure flag.

Tool: http://surfjack.googlecode.com/
Short paper: http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
Screencast: http://www.vimeo.com/1507697

This research was done independently from Mike Perry's[1], but it
appears to be effectively the same thing.


[1] https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry


--
Sandro Gauci
EnableSecurity
Web: http://enablesecurity.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Surf Jack - HTTPS will not save you
  - From: coderman

Prev by Date: [Full-disclosure] anyone developing a secure telephony application for GSM CSD?
Next by Date: Re: [Full-disclosure] Internet attacks against Georgian web sites
Previous by thread: [Full-disclosure] anyone developing a secure telephony application for GSM CSD?
Next by thread: Re: [Full-disclosure] Surf Jack - HTTPS will not save you
Index(es):
- Date
- Thread