Securing CFID, CFToken and JSessionID cookies
Monday September 22, 2008
A recent presentation given at
DEFCON 16 exposed a seemingly unsuspected vulnerability, common in most SSL-Secured websites. Many large and prominent sites such as
GMail,
Facebook,
Yahoo Mail and
others are exposed to this vulnerability simply because they haven't secured their cookies. The presenter dubbed the exploit,
HTTPS Cookie Highjacking and loosely described it as,
"It turns out an adversary able to position themselves in between you and a website is able to inject arbitrary http-based content elements for domains that do not set the 'Encrypted Sessions Only' property of their cookies, and thus cause your client to transmit these cookies via clear text, intercept them, and impersonate you."
read more...
Viewed 4951 times
Comments (7)
View RSS feeds