From: Marco Ivaldi (raptor@mediaservice.net)
Date: Thu Mar 20 2008 - 05:15:15 EST
Hey 11ack3r,
On Tue, 18 Mar 2008, 11ack3r wrote:
> Hello Everyone,
>
> I was curious to know how would webmail portals like gmail.com and
> yahoo.com protect their users from session hijacking when they use HTTP
> after authentication.
Nice question;)
> As I see it is trivial to capture traffic over the wire including
> session cookies. In such a case can an attacker just reuse the session
> cookies in his/her browser and compromise the user account?
You should try xenion's recently released cookietools:
http://xenion.antifork.org/cookietools/
http://www.securityfocus.com/archive/101/484866/30/570/threaded
Unfortunately, antifork.org seems down at the moment. However, there's a
mirror here:
http://packetstormsecurity.org/web/cookietools-0.3.tgz
> WHat is the best way to protect session cookies from hijacking esp.
> due to network eavesdropping? Of course HTTPS can also be bypassed
> with MITM attacks if users ignore browser warnings.
http://en.wikipedia.org/wiki/Session_hijacking
http://www.owasp.org/index.php/Category:Session_Management
Cheers,
-- Marco Ivaldi, OPST Red Team Coordinator Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:28 EDT