Active HTTPS Cookie Hijacking (Mike Defcon 16)

In this talk given at Defcon 16, Mike Perry talks about how website cookies can be hijacked even if they are sent over an HTTPS connection. So how does this work? Generally a cookie which is created and sent over SSL needs to have its "secure" flag set. When a browser sees a "secure" cookie, it will only send it over an SSL connection and will not transmit it over the plain text HTTP connection. The problem happens when a website creates an authentication cookie while communicating over SSL but does not set the "secure" parameter in the cookie. Thus, this cookie is vulnerable to being sent in plain text over HTTP. An attacker sniffing this connection can use this cookie to authenticate on behalf of the victim to the vulnerable website.

So how can an attacker force the cookie to be sent over HTTP? An easy way could be to hijack the TCP connection using say a DNS Hijack attack and inject images corresponding to the vulnerable site into the HTTP page recevied by the victim. This causes the victim to try and fetch them from the vulnerable site. As the cookie does not have the secure bit set, the victim's browser will send the cookie over the unencrypted channel and thus the attacker can now impersonate the victim by using the cookie. Mike mentions in his blog, that popular sites such as Gmail had this vulnerability for over a year, since his first announcement on Bugtraq and barely fixed the problem 4 days before his Defcon talk. Interesting.

The presentation and video of the talk are available below. Mike also released the CookieMonster tool to automate the attack. You may also want to visit his blog for more details.

Related Videos from: Interesting Talks at Defcon 16


Cracking WEP Cloaking and 802.11 Non Public Band Comunication	You are Viewing this Video Now!	Demonstration of Hardware Trojans (Defcon 16)	Scanning the Internet with Nmap (Defcon 16)	Hijacking the Internet using a BGP MITM Attack (Defcon 16)
12353 views	3600 views	3758 views	5118 views	4866 views

Author