Last month at Defcon, Mike Perry gave a talk about a vulnerability with sites that use SSL to secure the traffic if the site saves a cookie on your machine but does not set a flag indicating it is to be used only with encrypted sessions only. If some one can place themselves so they see your web traffic, they can inject arbitrary content to the data for sites not requiring cookies to set 'Encrypted Sessions Only' and force your browser to provide the saved cookies in a cleartext response. For more information about his tool from last month, see here. Thanks to Chris and Micheal for writing in about it. David Goldsmith |
David 78 Posts Sep 11th 2008 |
Thread locked Subscribe |
Sep 11th 2008 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!