Re: Predefined Post Authentication Session ID Vulnerability

[Gage Bystrom <themadichib0d () gmail com>]

Well if I understand Tim correctly you wouldn't need a CA. In the attack he
mentioned not once do you ever actually look at the ssl content. He's
talking about redirecting them to plain http and then setting the session
cookie and redirecting them back. Then when the victim logs on over ssl,
the session cookie isn't changed and is treated as authenticated. Obviously
since you set the cookie, you know what it is and can then impersonate
them.

I also agree that it probably wouldn't take too much effort to make that
work, anything that can modify traffic ought to do the job easily enough
with some tweaking. If not it wouldn't take much effort to whip up
something specialized.
On Jul 13, 2012 11:15 AM, "Douglas Huff" <mith () jrbobdobbs org> wrote:

> On Jul 13, 2012, at 11:07, Tim <tim-security () sentinelchicken org> wrote:
>
> > This is complicated, but it's not that much more complicated than what
> > existing MitM tools, such as sslstrip, already do.
>
> Better. I'm fairly certain this entire attack could be
> automated/orchestrated with mitmproxy with close to zero code changes.
>
> Only "hard" part is the procurement of a ca that will work on the target
> or finding some "behind the firewall" app to target that already uses a
> self-signed/invalid cert the users are used to clicking through.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/