lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 10 Dec 2007 14:45:55 +0100
From: "michele dallachiesa" <michele.dallachiesa@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	darklab@...ts.darklab.org, pen-test@...urityfocus.com
Subject: The Cookie Tools v0.3 -- first public release

hi,
I would like to announce you the first public release of The Cookie
Tools project!

included tools:

** cookiesniffer **
cookiesniffer is a simple and powerful cookie sniffer that recognizes
(through heuristics) and reconstructs (through libnids) new and
existing HTTP connections, parsing any valid or partially valid HTTP
message. The output is a set of files containing the gathered
information with time-stamps in a format that can be trivially
searched and parsed with standard UNIX tools such as grep, awk, cut
and sed. It supports wireless (AP_DLT_IEEE802_11) networks.

** analyzers **
this set of Bash scripts help you to analyze quickly the logs of cookiesniffer.

** cookieserver **
with cookieserver you can impersonate the cookies of someone else in
your browser using the logs of cookiesniffer (in few seconds). This
attack is also called "side-jacking", "cookie replay attack" and "HTTP
session hijacking" but probably I'm missing other fancy names. This is
something known from ten years but that is still (too much) effective.

This project is released under license GPL version 2.

Download:
http://xenion.antifork.org/cookietools/index.html

A list of public vulnerable web services is available here:
http://xenion.antifork.org/cookietools/lista/index.html
If you know other vulnerable services, mail me and i'll add them to
the VULN list.
If you know some not vulnerable services, mail me and i'll add them to
the SECURE list.
Use "COOKIETOOLS LISTA" as subject to skip my spam filters.

why HTTPS is not the default in this type of services? this is a big
silent hole. maybe, today is less silent :)


Cheers,
-- 
Michele Dallachiesa 'xenion' http://xenion.antifork.org
Antifork Research, Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ