[Owasp-spanish] Surf Jack - HTTPS will not save you

fabio.e.cerullo en aib.ie fabio.e.cerullo en aib.ie
Mar Ago 12 06:05:13 EDT 2008


Say hello to a new security tool called "Surf Jack" which demonstrates a 
security flaw found in various public sites. The proof of concept tool 
allows testers to steal session cookies on HTTP and HTTPS sites that do 
not set the Cookie secure flag.

Tool: http://surfjack.googlecode.com/
Short paper: 
http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
Screencast: http://www.vimeo.com/1507697 - very illustrative on how to do 
it.

This research was done independently from Mike Perry's[1], but it appears 
to be effectively the same thing.


[1] https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Perry

Fabio Cerullo
Information Security 
Bankcentre D1, 
Ballsbridge,
Dublin 4,
Ireland.
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: https://lists.owasp.org/pipermail/owasp-spanish/attachments/20080812/8d24d661/attachment-0001.html 


Más información sobre la lista de distribución Owasp-spanish