Jump to content

Recommended Posts

Posted

There was a counter measure to SSL Strip that was implemented after Moxie had released it. Not sure what it is called, don't remember. You could be running into that though.

Forgot to add my test environment. Victim --> Backtrack 5 R1 Attacker--> ARMv5 XFCE. Victim attempting to access gmail via mozilla firefox 9.0.1.

Posted

Gmail has a way to avoid sslstrip, it has HSTS (Just had Moxie confirm what it was called).

http://en.wikipedia....nsport_Security

that is good thing? lol

I just had a sick idea for a prank exploit.

create a tool that adds HSTS headers to every web page request, that way the persons browser is essentially useless on those pages that can't serve up https.

I wonder if you could even speed it up by adding 10s or 100s of sites into one page owning multiple in one go.

Posted (edited)

Gmail has a way to avoid sslstrip, it has HSTS (Just had Moxie confirm what it was called).

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Did some troubleshooting. Came up with some strange results. One my computer time was way off. Another was while using Backtrack 5 as a victim I was able to grab passwords for twitter and so on but not gmail. When I switched to Windows 7 as the victim. I could grab them all. Don't have a mac os to try yet. Thought it was kinda strange.

Edited by Sleven

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...