Jamo Posted October 26, 2010 Share Posted October 26, 2010 Hi finally someone has made sidejacking easy. Well it wont last forever cause soon facebook etc have to start to use ssl encryption. http://codebutler.com/firesheep Iths a bit easier that with ferret and hamster. BTW in facebook it it possible to change "http://" to "https://" so you will be a bit more safe. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 27, 2010 Share Posted October 27, 2010 Hi finally someone has made sidejacking easy. Well it wont last forever cause soon facebook etc have to start to use ssl encryption. http://codebutler.com/firesheep Iths a bit easier that with ferret and hamster. BTW in facebook it it possible to change "http://" to "https://" so you will be a bit more safe. Just like Gmail, you can change from standard http to https Quote Link to comment Share on other sites More sharing options...
Hawk Posted October 29, 2010 Share Posted October 29, 2010 You can but it tends to default back to http. I found in Chrome I had to add a --force-https to my .exe shortcut to get it to actually force SSL on my connection. It's an interesting toy for sure. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 29, 2010 Share Posted October 29, 2010 You can but it tends to default back to http. I found in Chrome I had to add a --force-https to my .exe shortcut to get it to actually force SSL on my connection. It's an interesting toy for sure. Actually you can set Gmail to maintain a persistent https connection. Quote Link to comment Share on other sites More sharing options...
Sparda Posted October 29, 2010 Share Posted October 29, 2010 NoScript has options where you can configure whcih sites to force SSL connections and which sites to force cookies to be secure. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 29, 2010 Share Posted October 29, 2010 (edited) NoScript has options where you can configure whcih sites to force SSL connections and which sites to force cookies to be secure. If you are the attacker how can you use NoScript to turn off the https option on the website that the victim is accessing, in order to sidejack the session. And most computer users, will know that browsing a website in https will be a lot safer than browsing one that doesn't support SSL. Edited October 29, 2010 by Infiltrator Quote Link to comment Share on other sites More sharing options...
Sparda Posted October 29, 2010 Share Posted October 29, 2010 If you are the attacker how can you use NoScript to turn off the https option on the website that the victim is accessing, in order to sidejack the session. You can't... Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted October 29, 2010 Share Posted October 29, 2010 (edited) 1. Facebook sends the cookie in clear-text even if you login via SSL. 2. Gmail is now only done over SSL, no custom settings required, which mitigates this attack somewhat (certain other Google apps are not done over SSL though), but you can just use SSLStrip get around that Also look into using Hamster/Ferret it can attack all sites and not just a predefined list (and almost as easy to use) Edited October 29, 2010 by sablefoxx Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 30, 2010 Share Posted October 30, 2010 You can't... It would be interesting to see someone writing an exploit that could tell this function in NoScript to disable HTTPS. Quote Link to comment Share on other sites More sharing options...
Sparda Posted October 30, 2010 Share Posted October 30, 2010 It would be interesting to see someone writing an exploit that could tell this function in NoScript to disable HTTPS. Web pages can't alter NoScripts function. To that end, if some thing is on your computer that can alter the configuration of NoScript you are in far worse trouble than simply worrying if you are connection is over SSL. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted October 30, 2010 Share Posted October 30, 2010 It would be interesting to see someone writing an exploit that could tell this function in NoScript to disable HTTPS. If you could write an exploit to do this you'd already have code running on the machine, which would make it pointless to disable HTTPS because you already owned the box, just hook the encryption dll. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 30, 2010 Share Posted October 30, 2010 If you could write an exploit to do this you'd already have code running on the machine, which would make it pointless to disable HTTPS because you already owned the box, just hook the encryption dll. Very well said, I didn't realize that part, but it does make sense. Once you owned the machine you could upload some key loggers witch would make the job a lot easier. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 30, 2010 Share Posted October 30, 2010 Web pages can't alter NoScripts function. To that end, if some thing is on your computer that can alter the configuration of NoScript you are in far worse trouble than simply worrying if you are connection is over SSL. You are right, If I can run arbitrary code on a machine than there isn't much point of disabling NoScript, I pretty much owned the machine. I was just thinking of other ways to turn off Noscript and make sidejacking more effective by turning off HTTPS. Quote Link to comment Share on other sites More sharing options...
sablefoxx Posted October 30, 2010 Share Posted October 30, 2010 (edited) Note: a lot of the time even when the credentials are sent over HTTPS the cookie is still sent in clear text, so you can still use session hijacking. This is why this type of attack is effective, even if you can't get the user/password you can still gain access to an account. Edited October 30, 2010 by sablefoxx Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 30, 2010 Share Posted October 30, 2010 (edited) Note: a lot of the time even when the credentials are sent over HTTPS the cookie is still sent in clear text, so you can still use session hijacking. This is why this type of attack is effective, even if you can't get the user/password you can still gain access to an account. So what's the best way to protect the cookies from getting hijacked if not even https can protect them. Edit: Found something that helps mitigate Firesheep attack, http://gizmodo.com/5676841/how-to-keep-hac...-with-firesheep Edited October 30, 2010 by Infiltrator Quote Link to comment Share on other sites More sharing options...
Anonymust Posted November 7, 2010 Share Posted November 7, 2010 So how can i force my browser (Chrome) to always open all links with facebook.com with https:// ?? Quote Link to comment Share on other sites More sharing options...
Sparda Posted November 7, 2010 Share Posted November 7, 2010 So how can i force my browser (Chrome) to always open all links with facebook.com with https:// ?? NoScript has an option to force SSL connections on specified domains and force secure cookies on specified domains. Quote Link to comment Share on other sites More sharing options...
digip Posted November 7, 2010 Share Posted November 7, 2010 (edited) NoScript has an option to force SSL connections on specified domains and force secure cookies on specified domains. Do they have a noscript extension for chrome? I don't think he was referring to FF. Also, as was mentioned above, Facebook sends its cookies over http. Logging in over SSL will hide your username and password, but the whole point of sidejacking is you don't need to know the user name or password to login as the user if you have their active session cookies. One thing to note though, at least from a safe point on Facebook, they at least take the action to invalidate the cookie if you force a logout when leaving their site, so someone who stole the cookies to take home for later, shouldn't be able to reuse them. That was at least what I was able to see when testing it, but I may have foobared something in that test. Twitter on the other hand apparently doesn't do this, as found by Mubix, if you steal a twitter cookie, you can take it with you and reuse it and twitter wont care if you logout, it can still be reused. Not good. Edited November 7, 2010 by digip Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted November 7, 2010 Share Posted November 7, 2010 Umm so Twitter code does not force the cookie to expire, that's very bad. Quote Link to comment Share on other sites More sharing options...
digip Posted November 7, 2010 Share Posted November 7, 2010 (edited) Umm so Twitter code does not force the cookie to expire, that's very bad. From what Mubix showed in one of his videos, after logging out and even deleting the cookies from his cache, firesheep was still able to use the previous found cookie to reopen the session as the user which is bad. So it would seem that Twitter doesn't invalidate the cookies when a user logs out. From what I tried with Facebook, they do invalidate the cookie when you click logout, so the previous cookies didn't seem to work. I haven't done too much testing with it to see if this was a fluke, but either way, its pretty bad because both sites send the cookies over http even after logging in from an https session. Its kind of bad all around and social networking sites arent the only ones who do this. They don't force the session to use only https, which for sites that use communication on a social network I think is pretty bad. I'm pretty sure Hak5 uses some other techniques though, one of them being IP address verification, so if someone did steal your cookies to take home with them, the IP address would fail and force them to login again instead of opening the session. Edited November 7, 2010 by digip Quote Link to comment Share on other sites More sharing options...
Sparda Posted November 8, 2010 Share Posted November 8, 2010 Do they have a noscript extension for chrome? I don't think he was referring to FF. I don't think there is any extension for Chrome that has this effect. Firefox actually has (at least) two (NoScript and HTTPS Everywhere), listing the options available is better than no options ;) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.