Here is an interesting flaw called "Surfjacking"
- Take a MitM situation
- Take a site that does not set the "secure" cookie flag.
- Victim logs into https://www.somebank.com/
- Session cookie is generated and set on the client
- Victim visits another website (http://www.example.com)
- The MitM attacker sees clea text traffic to www.example.org
- Attacker sends a 302, or "301 Moved Permanently" to “Location: http://www.somesecurebank.com/”, . Note the HTTP (not HTTPS).
- Victim browser follows the redirect and sends session cookie to http://www.somesecurebank.com in clear text.
Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME; secureas such the cookie will not be sent to the HTTP site - simple fix, pay attention to this during your next pentest.
Whitepaper : Surf Jacking.pdf