|
Full Disclosure
mailing list archives
Surf Jack - HTTPS will not save you
From: "Sandro Gauci" <sandro () enablesecurity com>
Date: Mon, 11 Aug 2008 13:03:01 +0200
Say hello to a new security tool called "Surf Jack" which demonstrates
a security flaw found in various public sites. The proof of concept
tool allows testers to steal session cookies on HTTP and HTTPS sites
that do not set the Cookie secure flag.
Tool: http://surfjack.googlecode.com/
Short paper: http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
Screencast: http://www.vimeo.com/1507697
This research was done independently from Mike Perry's[1], but it
appears to be effectively the same thing.
[1] https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry
--
Sandro Gauci
EnableSecurity
Web: http://enablesecurity.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Surf Jack - HTTPS will not save you Sandro Gauci (Aug 11)
| 
