DEFCON 16: 365-Day: Active Https Cookie Hijacking

Speaker: Mike Perry, Reverse Engineer, Riverbed Technology

Last year during my Tor presentations at Black Hat and Defcon, and in a follow up post on BugTraq, I announced that many SSL secured websites are vulnerable to cookie hijacking by way of content element injection. Unfortunately, my announcement was overshadowed by Robert Graham's passive cookie stealing attacks (aka 'SideJacking').

The difference between our attacks is this: instead of sniffing passively for cookies, it is possible to actively cull them from targets on your local network by injecting images/iframes for desired sites into unrelated webpages. Moreover, since many sites do not set the 'secure' bit for their SSL cookies, it is even possible to grab cookies used in https sessions and use them to impersonate users. This will be demonstrated.

At the time of this writing, vulnerable SSL sites include Gmail, Facebook, Amazon, and many others. Since wide-spread awareness of the threat seems to be the only way to convince these vendors that they need to secure their cookies, fully automated exploit code will be provided two weeks after the demonstration (however, it is also possible to steal insecure https cookies with just airpwn and wireshark).

For more information visit: http://bit.ly/defcon16_information
To download the video visit: http://bit.ly/defcon16_videos

Category:

Science & Technology

Tags:

• cookies
• attacks
• ssl
• sites

License:

Standard YouTube License