Musings on Information Security and Data Privacy: "Surfjacking"

Here is an interesting flaw called "Surfjacking"

Pre-requisites :

Take a MitM situation
Take a site that uses Cookies for Session handling
Take a site that does not set the "secure" cookie flag.

Result :

Victim logs into https://www.somebank.com/
Session cookie is generated and set on the client
Victim visits another website (http://www.example.com)
The MitM attacker sees clea text traffic to www.example.org
Attacker sends a 302, or "301 Moved Permanently" to “Location: http://www.somesecurebank.com/”, . Note the HTTP (not HTTPS).
Victim browser follows the redirect and sends session cookie to http://www.somesecurebank.com in clear text.

Recommendation:

Set-Cookie: NAME=VALUE; expires=DATE; path=PATH;
domain=DOMAIN_NAME; secure

as such the cookie will not be sent to the HTTP site - simple fix, pay attention to this during your next pentest.

Whitepaper : Surf Jacking.pdf

Video :

Sandro Gauci

0 comments

Post a Comment

About Me

Subscribe

Total Pageviews

Blog Archive

Featured Post

The importance of Psychological Safety in Cybersecurity

Popular Posts

Blogs I read

Links

Labels