|
Full Disclosure
mailing list archives
Re: Predefined Post Authentication Session ID Vulnerability
From: Douglas Huff <mith () jrbobdobbs org>
Date: Fri, 13 Jul 2012 13:14:59 -0500
On Jul 13, 2012, at 11:07, Tim <tim-security () sentinelchicken org> wrote:
This is complicated, but it's not that much more complicated than what
existing MitM tools, such as sslstrip, already do.
Better. I'm fairly certain this entire attack could be automated/orchestrated with mitmproxy with close to zero code
changes.
Only "hard" part is the procurement of a ca that will work on the target or finding some "behind the firewall" app to
target that already uses a self-signed/invalid cert the users are used to clicking through.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
|
