Overview of Web MITM Vulnerabilities

I've realized that the fact that I'm still getting questions to the effect of "How does this attack differ from Robert Graham's 'Sidejacking' attack?" means I did not do a very good job of classifying what sorts of vulnerabilities a Man In The Middle attacker can exploit over the web, especially with respect to what CookieMonster does that other tools do not (or at least do not automate). This post is an attempt to clarify the situation, and describe the two main classes of cookie stealing Man In The Middle vulnerabilities that popular websites are vulnerable to, depending on their security properties.

CookieMonster Core Logic, Configuration, and READMEs

This post describes the core logic of CookieMonster in more precise terms than the previous overview post. The hope is to drive home exactly how the tool functions, and to underscore that source code counts as speech in this capacity (and in general). In addition, the README that illustrates how the tool is used, and a README describing a "Quick Start" Live CD method for Mac and Windows users who do not have Linux installs are now available. Finally, an example configuration file for the tool is now posted as well. These should hopefully give a clearer picture of how the tool works and how it can be used.

How to Properly Provide Mixed HTTP and HTTPS Support

I've noticed that many sites seem to want to only support SSL partially, so that they don't have to invest in expensive SSL accelerators. While I can't necessarily say this fits in with my grand design to move the entire web over to SSL for good, if it has to be done, it might as well be done securely. This post attempts to describe the general pattern for how to do it.

Why Full Disclosure?

When I explain the completeness and the automated nature of my HTTPS cookie hijacking tool, the first reaction of many of my friends was to remark "Are you sure it is a good idea to release this?"

Why the Gmail HTTPS "Fix" Isn't

About a week before my talk, Google announced that they are "making security easier" by providing people with the option of using only https for gmail. I think this "fix" is still broken for several reasons.

Automated HTTPS Cookie Hijacking

This past weekend I gave a talk at DEFCON 16 describing a very common vulnerability with many SSL-secured websites (slides are here). It actually all started last year when I began development on The Torbutton Firefox Extension and agreed to speak at Black Hat USA 2007 and DEFCON 15 on my findings with respect to Tor Security. In that talk, I announced that many sites used over Tor were not setting the 'Encrypted Sessions Only' bit on cookies they set over https. This is the case with GMail,, most Drupal sites, Facebook, Amazon's purchase history, Yahoo mail, Hotmail/MSN, many many online merchants, and a few of my friends' banks.

CookieMonster: Cookie Hijacking

Cookiemonster is a proof of concept python-based cookie hijacking utility that is able to capture cookies of improperly secured HTTPS sites via the local network. In its default mode of operation, Cookiemonster tracks the HTTPS sites visited by a each local client IP and then automatically injects HTML elements for each HTTPS domain into subsequent regular HTTP requests to a particular client. This causes any insecure HTTPS cookies from the automatically collected target domains to be transmitted unencrypted for capture by Cookiemonster, which then writes them into Firefox 2.0 or 3.0 compatible cookie files.

Syndicate content