Description: In this talk given at Defcon 16, Mike Perry talks about how website cookies can be hijacked even if they are sent over an HTTPS connection. So how does this work? Generally a cookie which is created and sent over SSL needs to have its "secure" flag set. When a browser sees a "secure" cookie, it will only send it over an SSL connection and will not transmit it over the plain text HTTP connection. The problem happens when a website creates an authentication cookie while communicating over SSL but does not set the "secure" parameter in the cookie. Thus, this cookie is vulnerable to being sent in plain text over HTTP. An attacker sniffing this connection can use this cookie to authenticate on behalf of the victim to the vulnerable website.
So how can an attacker force the cookie to be sent over HTTP? An easy way could be to hijack the TCP connection using say a DNS Hijack attack and inject images corresponding to the vulnerable site into the HTTP page recevied by the victim. This causes the victim to try and fetch them from the vulnerable site. As the cookie does not have the secure bit set, the victim's browser will send the cookie over the unencrypted channel and thus the attacker can now impersonate the victim by using the cookie. Mike mentions in his blog, that popular sites such as Gmail had this vulnerability for over a year, since his first announcement on Bugtraq and barely fixed the problem 4 days before his Defcon talk. Interesting.
The presentation and video of the talk are available below. Mike also released the CookieMonster tool to automate the attack. You may also want to visit his blog for more details.
Tags: basics ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.