CookieMonster

CookieMonster Available for All Site Admins, Bloggers, Students

Two weeks ago, I announced on slashdot that CookieMonster was available via email to people who were security consultants and site admins. Unfortunately, I guess I wasn't crystal clear on the procedure for requesting the tool, and many people simply emailed me with no body. Now I'm announcing it again, and also opening up the field to all journalists and all bloggers as well. So, if you would like a copy of the tool, and are a security consultant, teacher, student, blogger, journalist, or site admin, please email me with which sites you admin, write for, blog on, or consult with, and MAKE SURE to put "CookieMonster" in the subject line. If you can't figure out my email address, you are automatically ineligible for the tool ;).

CookieMonster: Cookie Hijacking

Cookiemonster is a proof of concept python-based cookie hijacking utility that is able to capture cookies of improperly secured HTTPS sites via the local network. In its default mode of operation, Cookiemonster tracks the HTTPS sites visited by a each local client IP and then automatically injects HTML elements for each HTTPS domain into subsequent regular HTTP requests to a particular client. This causes any insecure HTTPS cookies from the automatically collected target domains to be transmitted unencrypted for capture by Cookiemonster, which then writes them into Firefox 2.0 or 3.0 compatible cookie files.

Syndicate content