Jump to content

Firesheep

Jamo

By Jamo
in Security

 Share

Recommended Posts

Infiltrator Newbie

Infiltrator

Posted
Posted
Hi finally someone has made sidejacking easy. Well it wont last forever cause soon facebook etc have to start to use ssl encryption.

http://codebutler.com/firesheep

Iths a bit easier that with ferret and hamster.

BTW in facebook it it possible to change "http://" to "https://" so you will be a bit more safe.

Just like Gmail, you can change from standard http to https

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted
You can but it tends to default back to http. I found in Chrome I had to add a --force-https to my .exe shortcut to get it to actually force SSL on my connection.

It's an interesting toy for sure.

Actually you can set Gmail to maintain a persistent https connection.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted (edited)
NoScript has options where you can configure whcih sites to force SSL connections and which sites to force cookies to be secure.

If you are the attacker how can you use NoScript to turn off the https option on the website that the victim is accessing, in order to sidejack the session.

And most computer users, will know that browsing a website in https will be a lot safer than browsing one that doesn't support SSL.

Edited by Infiltrator
Link to comment
Share on other sites
sablefoxx Newbie

sablefoxx

Posted
Posted (edited)

1. Facebook sends the cookie in clear-text even if you login via SSL.

2. Gmail is now only done over SSL, no custom settings required, which mitigates this attack somewhat (certain other Google apps are not done over SSL though), but you can just use SSLStrip get around that

Also look into using Hamster/Ferret it can attack all sites and not just a predefined list (and almost as easy to use)

Edited by sablefoxx
Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted
You can't...

It would be interesting to see someone writing an exploit that could tell this function in NoScript to disable HTTPS.

Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted
It would be interesting to see someone writing an exploit that could tell this function in NoScript to disable HTTPS.

Web pages can't alter NoScripts function. To that end, if some thing is on your computer that can alter the configuration of NoScript you are in far worse trouble than simply worrying if you are connection is over SSL.

Link to comment
Share on other sites
sablefoxx Newbie

sablefoxx

Posted
Posted
It would be interesting to see someone writing an exploit that could tell this function in NoScript to disable HTTPS.

If you could write an exploit to do this you'd already have code running on the machine, which would make it pointless to disable HTTPS because you already owned the box, just hook the encryption dll.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted
If you could write an exploit to do this you'd already have code running on the machine, which would make it pointless to disable HTTPS because you already owned the box, just hook the encryption dll.

Very well said, I didn't realize that part, but it does make sense. Once you owned the machine you could upload some key loggers witch would make the job a lot easier.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted
Web pages can't alter NoScripts function. To that end, if some thing is on your computer that can alter the configuration of NoScript you are in far worse trouble than simply worrying if you are connection is over SSL.

You are right, If I can run arbitrary code on a machine than there isn't much point of disabling NoScript, I pretty much owned the machine. I was just thinking of other ways to turn off Noscript and make sidejacking more effective by turning off HTTPS.

Link to comment
Share on other sites
sablefoxx Newbie

sablefoxx

Posted
Posted (edited)

Note: a lot of the time even when the credentials are sent over HTTPS the cookie is still sent in clear text, so you can still use session hijacking. This is why this type of attack is effective, even if you can't get the user/password you can still gain access to an account.

Edited by sablefoxx
Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted (edited)
Note: a lot of the time even when the credentials are sent over HTTPS the cookie is still sent in clear text, so you can still use session hijacking. This is why this type of attack is effective, even if you can't get the user/password you can still gain access to an account.

So what's the best way to protect the cookies from getting hijacked if not even https can protect them.

Edit: Found something that helps mitigate Firesheep attack, http://gizmodo.com/5676841/how-to-keep-hac...-with-firesheep

Edited by Infiltrator
Link to comment
Share on other sites
  • 2 weeks later...
digip Newbie

digip

Posted
Posted (edited)
NoScript has an option to force SSL connections on specified domains and force secure cookies on specified domains.

Do they have a noscript extension for chrome? I don't think he was referring to FF.

Also, as was mentioned above, Facebook sends its cookies over http. Logging in over SSL will hide your username and password, but the whole point of sidejacking is you don't need to know the user name or password to login as the user if you have their active session cookies.

One thing to note though, at least from a safe point on Facebook, they at least take the action to invalidate the cookie if you force a logout when leaving their site, so someone who stole the cookies to take home for later, shouldn't be able to reuse them. That was at least what I was able to see when testing it, but I may have foobared something in that test. Twitter on the other hand apparently doesn't do this, as found by Mubix, if you steal a twitter cookie, you can take it with you and reuse it and twitter wont care if you logout, it can still be reused. Not good.

Edited by digip
Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

Umm so Twitter code does not force the cookie to expire, that's very bad.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted (edited)
Umm so Twitter code does not force the cookie to expire, that's very bad.

From what Mubix showed in one of his videos, after logging out and even deleting the cookies from his cache, firesheep was still able to use the previous found cookie to reopen the session as the user which is bad. So it would seem that Twitter doesn't invalidate the cookies when a user logs out.

From what I tried with Facebook, they do invalidate the cookie when you click logout, so the previous cookies didn't seem to work. I haven't done too much testing with it to see if this was a fluke, but either way, its pretty bad because both sites send the cookies over http even after logging in from an https session. Its kind of bad all around and social networking sites arent the only ones who do this. They don't force the session to use only https, which for sites that use communication on a social network I think is pretty bad.

I'm pretty sure Hak5 uses some other techniques though, one of them being IP address verification, so if someone did steal your cookies to take home with them, the IP address would fail and force them to login again instead of opening the session.

Edited by digip
Link to comment
Share on other sites
Sparda Newbie

Sparda

Posted
Posted
Do they have a noscript extension for chrome? I don't think he was referring to FF.

I don't think there is any extension for Chrome that has this effect. Firefox actually has (at least) two (NoScript and HTTPS Everywhere), listing the options available is better than no options ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...