[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] insecure elements in https protected pages



Any request on that page that is in http is an insecure element.  
Mixing HTTP and HTTPS on the same page is insecure as the credentials,  
cookies or other identifying data would be sent in the clear to the  
HTTP server.

Install FireBug and watch what pages are loaded, or manually go  
through the HTML and move all page elements over to SSL.


-j

On Oct 18, 2009, at 3:03 PM, Mohammad Hosein wrote:

> in a certain web application e.g gmail there are times the whole  
> communication is secured by ssl and sometimes "there are insecure  
> elements" that raise questions . i'm not a web professional . how to  
> find these insecure elements ? and how to evaluate if these elements  
> are the results of a successful man in the middle attack or not ?
>
> regards
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/