Here is an interesting flaw called "Surfjacking"

Pre-requisites :

  • Take a MitM situation
  • Take a site that uses Cookies for Session handling
  • Take a site that does not set the "secure" cookie flag.
Result :
  • Victim logs into
  • Session cookie is generated and set on the client
  • Victim visits another website (
  • The MitM attacker sees clea text traffic to
  • Attacker sends a 302, or "301 Moved Permanently" to “Location:”, . Note the HTTP (not HTTPS).
  • Victim browser follows the redirect and sends session cookie to in clear text.

Set-Cookie: NAME=VALUE; expires=DATE; path=PATH;
domain=DOMAIN_NAME; secure
as such the cookie will not be sent to the HTTP site - simple fix, pay attention to this during your next pentest.

Whitepaper :
Surf Jacking.pdf

Video :

Sandro Gauci


Post a Comment