|
|
|
HTTPS Cookie-Hijacking Tool CookieMonster Gobbles Personal Data
By: Brian Prince
2008-09-12
Article Rating: / 9
There are 1 user comments on this Network Security & Hardware story.
Web browsing on SSL sites may not be as secure as you think. Security researcher Mike Perry has released additional details about his CookieMonster tool, which can be used to steal private data via HTTPS cookies. Mike Perry spoke about the issue at the Defcon security conference.Talk of HTTPS cookie hijacking is pushing its way toward the front of the
line of security concerns with the release of details regarding an automated
tool dubbed the CookieMonster.
The Python-based tool is the brainchild of reverse engineer Mike Perry, who
spoke about HTTPS cookie hijacking at the Defcon 16 security conference in Las
Vegas in August. Though Perry has put off making the
tool available to the general public, he recently posted more details
explaining how the tool works on his blog, which prompted the SANS Institute to give a
heads-up.
With HTTPS cookies in their metaphorical jar, cyber-crooks could potentially
access online accounts. In an overview, Perry described CookieMonster as an
automated tool that can be configured to steal the cookies for a specific list
of domains for every client IP on the local network. The tool is also able to
compromise arbitrary insecure
SSL (Secure Sockets Layer) sites without the need to provide such a target
list.
"Basically, [the issue] revolves around the fact that cookies have two
modes: secure and insecure," Perry wrote in a blog post.
"If a cookie is insecure, a browser will transmit it for plain old HTTP
connections, and an active attacker can then inject a set of HTTP images for
sites that they want cookies for, and the browser will happily transmit cookies
for these sites unencrypted, allowing their capture."
In addition to insecure HTTPS cookies, CookieMonster also steals URL-based
session ID details, which are used to prevent cross-site request forgery.
According to Perry, the injection mechanism is the airpwn-style TCP
race condition attack. Currently, only open and WEP (Wired Equivalent Privacy) wireless
injection is supported.
"Since CookieMonster is local, it is able to respond to arbitrary Web
requests considerably faster than the actual Web server," he wrote in a
separate overview of the tool. "This allows us to hijack any connections
we wish."
To check whether a Web site is vulnerable using Firefox, users can go to the
Privacy tab in the Preferences window and select Show Cookies.
"For a given site, inspect the individual cookies for the top-level
name of the site, and any subdomain names, and if any have 'Send For: Encrypted
connections only,' delete them," Perry explained on his blog. "Then
try to visit your site again. If it still allows you in, the site is insecure
and your session can be stolen. You should report this to the site maintainer."
To help deal with the issue, Firefox users can
reportedly take advantage of the NoScript
1.8.0.5 plug-in.
|
|
�������x}v6�EW-Ȗִey,u{:gR$$1H
IV�;�[�7]hɗNg-�`�(
B;�?{{~$rI56%S�E}"I{�C(`R˩��IZN�ڶ?
�}�~mkr�u��;�{#|6�%߽w *s=NN��K&�OVgMھlM1e�ck_gp��,c�w
h{=Dm@�~5;��r�!&2{8�K;;"?*B�]2IXߦu�ɷ~{Xe�;��7� ��)*X^P~�FD;r�#�|�=x:a/M˟�m�ڮ�U�X'�[v�B�1BE��;wK�I%�_g�'u�ڪ8NQp/F:tm3E������k�LN\^BZ�Sˆ螥��ɧ5�f�5I
�
1A �4cT$ne8DrH�n6��Ոj)1ᆑgO?-�Ib�p\.ܺa?uoczV[u�cϝ;�{I�V%X䈍YR'`>6O(L|@��ɤ:ģZ�r$˺79h4öۼC�ٰo5T:Ԫr\�ˇJYr�ӽm˙?XYp?�͇_z�JY4E9.W9�(֝[p�nKV�a*:n{'Ow~@.�{A~A7"�DT)�Jj\(�ODCa�jL�xڽ~�H}AFI?j�|%rX<,hv��$걑�f1<˧H0CF^8rrnuo]_]{-o\[gH>߈ekby�1�=�b Jw�!=Y�%Mٽ鑳5i>O[=$#t: +?;V�'_ZU��lxmaj;d�Pp9Lwjt(�~hvOZd�[W�O.ڧ$'MT&ysA��{[(-t[[9K2}!zc-? ,�_�� f��k���ķLJ�a)"���:ur�5ͪ5V(z�[PĿ� E/<@'�L[w)P3Z$j9�2��3=Pr5&Sk~�$M�]sb.L2o<|)�m̗U/d`(AK/g-
�5t*軤(If0;A0<^f/�_��\RG�
1
p1S{n2�.Ӱu�arv��^nVV͉:YXYu�jZnY?�iQwθ~j?^wսuS5@*'ݨä��p�p|w��͇v9s��/|�TaR���֔ZN;��=H:}m�`��5$ǎC-ߟ�L���s#09w��ښB�<�Q5ݻCi`y1���y�jS?g!Tg,z�z��C�
��3���lmNl}h`1 �5�%aF���;r-Fa��A7E�ȣ���$@�!"�-i]N�P@A�r6W?��-��,rr����0#!bTLZ���(ݞ�Hp@-�JEscMX*QY,�p[/ �Pf%)5{~4�cbB�|#'"�Xr`Y
�\h+|�i)lc
lV.hiȨP�s�0�=cWV+%EUC H�&a*d[��vF�c��`�M?b�n;*�c~XzK/�oFaB�x�3uIE^PsĽ'�hƏl>j�7A1�M�,$k�>�P^!͙;eL��� o¯M]��K{hNBUTC_J+8從2ES�|(�n^ßݴ�#>d .�z:H(p�0��ѿy��Ğ�nv(4UʝWRy'g|)�WNy�քc$C ֓6_2���˧��L)ESr�����:w'NѫU?z�~M"kCG{ց$l�J�ʴ.�Z*����![q5o|a1�F]��RZJKPDl�Pc/X�ke�zdE�M*�&Io2�@n�=�ȢmD
jrAn�#��7~4E�kaZ,�<>ki8�,�@�r;
poIJ*6*3XSԝ�zд\�"қy}@n&ztu���L�|BJm�w6q� M
sOЭ,��p8*4jkT=C�kab恈7�_E3�k�a�{�61tJ.,]{1Y_,*{g5eWlH��k4FuE8@o��ʵ��Ltzh<
VȲO[b�{lu�j 1�5՝
�%1�I9&"_G5�k�^��ˣ6Wȵm>�3躢� X��:�X<��~�o5z6|��*j�0FBċV�(l^p�~kN�4:E�80��Nݡe-6m*IH�-qۻ(�Qܧ&�;alâ˘c_��� #���>(cpHl`_��t`@B^C��� &@SZ`\F�k���ZCbPDܔwц.�[|P,��~Ê?DJQcG=.C+DÜU^V�x�w$JPVbtxC+jr\T+
8;|%ZA~~Ļ(
�I�F
�� j}}1@�Mf?Sc`9{r87��`3�tx+}K-˰p #.Z$ c?`7�. _�{kO��hB1F}�l#�e{X�~\U4Uud�¹�`��Qе�a#E��CV0!��P�"�7h6{e�ejڳP��dwPJ v�|~KFh�I[$�`@"Kj�Ev�~Ia�������Q'sGŕ5��
φS�F1j>L�k}��\SaWݬ`��[D
zD�È�i{�qņ�Z
ZYMf~�r?pߎ�XA�m9k+sD
�ü�
�|30Jјlwl^Qm(}�< *�Wo�ᔻ,Pý�o~��QB<�Z܀#���h �g�z��}#}5=���9~܄yeb@mb�y@�?}誦�Cm2�YhSYpg#HٚIκV}�|,On?{R�L
Ap5ش@ngr��"�>sԳйdNcl �}~rn�f@�D�h>
��kr4�hC>:LS�i�4DZ6��s����q�Iv/�W|��_�M�C� 7ѐ�ZD#^�$}#=բ,�A���EUPU(V
�$�y�Vp8,h2Y+�#t�0�/�7" ޜb��l[
ezפ|X�ՕK��Oe3q1�8@X=�y}�d6
�5C1t53q�qfSu8,+1Up]t3Mb>� h
z��tS6neU��LJZZ$|p`��
N��z@W{qT*LEM+t׀m+J9wWGc&�3����t@�ɢ\�'
WeR8p,g(
�,O$�%,t9�ǣ۷mpH75�),8{Je�%[
ir}e$ $"z��R=.=2��a7ZPf�7�#�991u/x߹�~Ъ�)����l�n
|+ ��=$��|QtW�%}wnϏHAcg˾t/>�����?��v0yy���D߫V��i/R�)��X|xxٔڝ�?�N�eF&{f�B�,
8oIzq!'^y�{{h6ۗk��mu�#4�.o�d�h�hIv�N}R|I{ѽE%%{�w;Oz��d��G, Y#�B^�ǧͦ
��vpR`Q�s�cf`&z�i���R_�KٺĂ1Ka՜$�"j��MN3$n�e88фmH�9�ºU�XHe`&|](�Wtz̃y��E9������{B�:�l.�i9$C[��
�`M/ԩ
#A�D�rElFzRF�ijf{D× '0��^�/0[L㷜oWȘI�GD_q+
�'=?Mh'5۟H‐�
Nv��hq_�e��ޞ,Hq=Ym@ybZӽK3%ƗHã�,P-�WI+LB$/EiA0ۧP��R�#A[�dqP>�XkI)�j[UH*?vb�Ƈ'%�qb��Ly�x*= $LrDaC=?��V$=ݝ:�F`�cIŃ
O�~ؑq��eީӊ�N|�u�+KׅN�o�W�3k{R̵jП�2]���>^��h9G�R�b0&x&�4NdyWy#Kx�EıTrcc�䰎*h55nWe��gNu!&HK.}Ҹ跮Is�09i~%H@Rotck�5y�ՅO�>O�4wX�\/f8!-�LwzzMY�fg_
ok v/ݻw�~Zw[q*A-wC��@ƣ�b[�0dƛ'q=+��=#tzoo=ȥ�֛q=*~�'k��w.�z@z@pw�{Zg%QJ=�q
@jjir\"~^YZ�䑼D�qD%��t`�5o��14�m*z3=}z9[fvÏ5"i
�ј@.lvd6tY��A�AXy� !h79g; 91<��#P`G-ݺ�ܭ1J��"i#ĠHYrMs ��_5���4:ar*|"�ZyVa�%8\}5�ߊ:"YcCƓd�۲cr��sf2i��TgeTW/�__B�!]9_h3�[aGɨ0^
=�"s�(u��߂Kd�[:��F�-�
y6u2kj�~a.Zşn��8?z9/(b�o|aEQ�m�ڎD%~rdD�MQ=ԞI[�h>�Cx8�P?دoSEN}:�X��!2;g&&,mw[��ijL�?>v,H!NL->�4�$�tk_�+ݗ�_�O�RVʡ�8�Qcѹ{On(i�6�“�� [9L��8DOx/K/K&�9���d>㽄߃E4�W<�иLxXcIȒ���pN�]`yzT���DŽIr�ot9 u�3-D�D�tu�treX� 2̲wW[투&G`\�*n�Fg3f8k:&2�*Hhcx;
أw�%Z�cuUĎcAŨA�wm
wܾR�;JUY,Iɒ+v�oWH\JCyc�"9[S#�oۼ&b8==ƴjlɝYeMEn#cLoNtрohd9/�5C�˺M``�g8NX(M`4IT2Rbm٬Ƣ��xI#~$g�ܰ��"d^�� CH�}몯R/RY&. d!Ʊ/�P�پIy{Io�+�- ,F���V��:K�6ᰉMB&�v:t`+D3SO ʶdZy%PcS�_�}���Oj6e���aTFni> a�dC�rX[QOBRYf9.\;Lg� ��MxB�ͧͧͧͧS/W*Z>X6k�X,�]X�|WDtߺ
o4���*Qk:d3]bnj>,3CɎac�6wM6
{oSsL/c<2
c"`Ws�ԞꞷEԛ��k4%^=un
�i.%"��@��O�5�B�#+8�6
eKpb
��,a`�y5-�QU.M�.\�͇͇͇͇͇�pK�p~:��'u~pâ-R]l�{eRr��Q�ߔXӰW7kl?��6
�xtpGs�}��⣦2/qcS��62x+qn��7�iYQ�/]X�(W�aBͳ(@|;�|}5%xx˾1��"^IfZs�ҕR��>`Xw
Ov%`@��MT#���`+N q�ЊFx��8mt��Qm�wf��$I��}"@ݾ� j�'"W�1rҍ;s�G$q?*i_"�R8{�z0D��Iu�}U`dEɕGMedS�z !57s>K D�P�K�ظ$� X~}*X
�<ԟF?]'y �e�
I�G}e9|Zͮ廩s�JA+�ܫ: RKHܱ;р�Q�/l~5#e\6u`tC.j�@!��o���0N �oLW텓P!JkΡ�k1�Zۘ*̚LHj�~ж}A˽=V�4]
mY�[`cX
�E)j>�*淵qdyN;�mV)ːjhk+1}:iLEހ8��y{�©وj|ubC$tF87/F
US)c2�J68L�h`
�n3dB1��'?��I�|`u1�W 8�S�9O|_ڋK۪_xģiJe^�lm/'�IRO}XL
3;g�(�ÔPd�ȣ�!̈VT7<��̵?�~Ge�p#D<SPE\y|� 㷈�?D#{~�x?�Uܼ;@�FٕB=fW�}'9aY1sʑmOGe~x}VEV#ƼYbu+.-^3; !kjb`!�O4�#|-JA�hXDy~�rmzb�E�}�эmDpP�vg[rBYm�Ӷ|J]IL�a�!-(!-DG~�aIzŅe&{ψ$�9�QuMMm&^O� 0ka��*"l\M�'�q�/丱�5ˋ����AE&Lj�D���^P4o&qn�=8��w?�?)fF<��ƏLN�<�vvn&/m']қ≠DUԹ֝uh-Ƅ'&G[T8�vXj 1<9l,.�
[+`65���OR.g@%[7\ ��0>8)���BZ'v;;}hjJE�T8gA%�J5rg8;֘���w��'}ZrYģ֞ѽ_��3B;s�^�?qbS{:J_�ÇaeI6K�&Yqۏ�o[ͳ�.04&n����tAuGw,�@8���<�DқQQ̏XJ0o[1 K}�9|�l�Zߝa5}�bxw�I�jrGh%6�qqti<
4��"z,2_*J�@(fYir'
o.'��Y�o;W�q+P~ЪV7>2<{W��W|�%utf �E�e$]��CG c
Rr�t�7�\9P[�[t8�'��@��`m̼@GB�Sx�&�؛Zi�̥7b?= n�O�⸰��CRY
`O�i$�~b �2vFf.B�T0
�F!�`뭛V�C}A.[7VߺU C{Q^[H���/@u�<����>ΐiax���C�O좺�t�@�Z\_Ci-���c�p�TpjԪ�H�d5B&t�85��7>|?{=j&[� l��x
�D�zx``Sۈ�� &x
19ӈ ic6�֧t;�ȧn1r�KT-B@a=Q��3(�9|_~G;|�@R��t_7*��D��"}�fA=bAa~L�P@J ͍$0\�qn�`�6s}``EP00��a�?�OgA~2?jz�6�N�C%Ψf�ldaQ(�b:M�u?��}�Ǯn%n���KM yb$��!%�H$`x=9aac"dtay4
M,×Y�%a�P8�\
��+z+U'I]U@)p!xW`ǪZJWtxQ:n?w.4!W�)WPh����r##vFC�d2�`�frOtv�cLκפAή[-x;n_KrҺ*lkM/WQwI{}ٺn_s3�MG_�}mP<�e�JF9ũ�6u\�«X]drx�ixɎ(bh,.6ٓtg$G0%lyї�5�1o&(6yFyllŵv#g5^�L�kFN]3CM@o1�c҇ZQc ó��b�ahI&5+۸�r(��2_2ʯzsi�(QޅnF9Rzsy�pleB3Y�~CgG(7zQ�kg�3ˌr;�z^Fg(�_d�mWdO���w�~;��~:�;��}v2�ɠOˌ_~O�P~Q7([Fy�;�0�{ s?0�ׅw3�͐?]/�r�qA�WU@?�Ӄ2߃2�g_�P�>f'(U�1OO�rߛ�o2ڿ�ɠ�=��>k\픊�$dK�"
SV9,.2�VD=VbM�xG,E<�mcLkl��Ⱦ1[�QGl`�]#=D(�s�җe&m�s?��`jGɀ
���W]�6p%�9����#p�}
~iMnڧ{\�v��<2kӫk+kp'k͠?~�%k[L^d6yx߇
ߚD,�|��e%�HI_1σ���CO��C/+O�g�5>N?^�Һl\��[3
쓭/>AͷDV�N)pB ;,R+tAc,>(N�Bhعkjx#ӯ��.h
�{c���ö0FrP*�5VZ*{_5"����= G1�Q5YUdJ*'�jeT�L��3DA�zg�
�l]{ۦJ�̾ZCO�3CX)ḇ}̺lk�%��.��0��S�چq��|ׁW1^{
3�E3$ư�z<
H�:BVF{��3n3�$���&b3@�gYlVxRD�szn%0)%� �KBl�PՍFoU��T��x��/ē_| 3৯ea�'q3Yұ�ߚR
�DOQ[K�|�iKڼAߍ��KY[~Qڗ�E@1agG�ێ4RVfХI�zH,��7�AQ^+yJ>?��T@|-
%{\6LDR��}F�0~N]�v0N9DePޙ!/;vcS)f��GNFp)N�<}q?٢�u+�ğ? \� cwH�V&(:bzU�u .Ы�r!9|�ąߧw}�oZ�C2z�dz$_Oxƪ~Saxr=F=���x���M-I�S`"�Fq:h
/�A�sl2q�[43@FWD0;"����im"sE��%��X,8/� �uf4[�ƝMQK�.�9���-Bu�x��]�D
�p�C'k_2ue�>�v
ǯ-�'�yvJ^�Qt�7tlmb�@�J܆�� D@-pP�k�+W�ei$ցi%Ώ8ǩk[mx�� �}�uky!.��1�:7 ˟]~Tqٮ�7(G,cӴ+`�j��7D]YtA.O)h<�4W�6QĶq��ytcqږ0#Er�,�ɀaY´Bd'KWܵ1^5�El݁*�Ԉ�Ay,O>A@�`�V\3|f7tZ�35nBO\�3L��&j1Bi>e1�}af�rY�W`2-��.<'�̳�(`,��Lv"V�KJMΡmjQ"aڇl*~�H�&0�l{k+�нD~xFs-^P?Q�>�χ"@�LNENE<<�*IDy�)�V@��Og
|>"�:0X��+n:�'�wX{y�B(Ϻ}i_|>!�L�*`g�/>!2D!6�xVyhMi{�ş�queS
+K�ӽn �D>Vl/'+e={`ݯ��s�g�
|
Network Security & Hardware 
