Full Disclosure mailing list archives
Re: Predefined Post Authentication Session ID Vulnerability
From: Gage Bystrom <themadichib0d () gmail com>
Date: Fri, 13 Jul 2012 11:24:37 -0700
Well if I understand Tim correctly you wouldn't need a CA. In the attack he mentioned not once do you ever actually look at the ssl content. He's talking about redirecting them to plain http and then setting the session cookie and redirecting them back. Then when the victim logs on over ssl, the session cookie isn't changed and is treated as authenticated. Obviously since you set the cookie, you know what it is and can then impersonate them. I also agree that it probably wouldn't take too much effort to make that work, anything that can modify traffic ought to do the job easily enough with some tweaking. If not it wouldn't take much effort to whip up something specialized. On Jul 13, 2012 11:15 AM, "Douglas Huff" <mith () jrbobdobbs org> wrote:
On Jul 13, 2012, at 11:07, Tim <tim-security () sentinelchicken org> wrote:This is complicated, but it's not that much more complicated than what existing MitM tools, such as sslstrip, already do.Better. I'm fairly certain this entire attack could be automated/orchestrated with mitmproxy with close to zero code changes. Only "hard" part is the procurement of a ca that will work on the target or finding some "behind the firewall" app to target that already uses a self-signed/invalid cert the users are used to clicking through.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Predefined Post Authentication Session ID Vulnerability, (continued)
- Re: Predefined Post Authentication Session ID Vulnerability Benji (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Gage Bystrom (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Gokhan Muharremoglu (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Gage Bystrom (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Tim (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Gage Bystrom (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Григорий Братислава (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Григорий Братислава (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Douglas Huff (Jul 16)
- Re: Predefined Post Authentication Session ID Vulnerability Douglas Huff (Jul 16)
- Re: Predefined Post Authentication Session ID Vulnerability Gage Bystrom (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Tim (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Douglas Huff (Jul 16)
- Re: Predefined Post Authentication Session ID Vulnerability Gokhan Muharremoglu (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Gökhan Muharremoglu (Jul 13)
- Re: Predefined Post Authentication Session ID Vulnerability Григорий Братислава (Jul 13)
- Message not available
- Re: Predefined Post Authentication Session ID Vulnerability Gokhan Muharremoglu (Jul 13)