| ]

Here is an interesting flaw called "Surfjacking"

Pre-requisites :

  • Take a MitM situation
  • Take a site that uses Cookies for Session handling
  • Take a site that does not set the "secure" cookie flag.
Result :
  • Victim logs into https://www.somebank.com/
  • Session cookie is generated and set on the client
  • Victim visits another website (http://www.example.com)
  • The MitM attacker sees clea text traffic to www.example.org
  • Attacker sends a 302, or "301 Moved Permanently" to “Location: http://www.somesecurebank.com/”, . Note the HTTP (not HTTPS).
  • Victim browser follows the redirect and sends session cookie to http://www.somesecurebank.com in clear text.

Recommendation:
Set-Cookie: NAME=VALUE; expires=DATE; path=PATH;
domain=DOMAIN_NAME; secure
as such the cookie will not be sent to the HTTP site - simple fix, pay attention to this during your next pentest.

Whitepaper :
Surf Jacking.pdf

Video :

Sandro Gauci