lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Dec 2007 14:45:55 +0100 From: "michele dallachiesa" <michele.dallachiesa@...il.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, darklab@...ts.darklab.org, pen-test@...urityfocus.com Subject: The Cookie Tools v0.3 -- first public release hi, I would like to announce you the first public release of The Cookie Tools project! included tools: ** cookiesniffer ** cookiesniffer is a simple and powerful cookie sniffer that recognizes (through heuristics) and reconstructs (through libnids) new and existing HTTP connections, parsing any valid or partially valid HTTP message. The output is a set of files containing the gathered information with time-stamps in a format that can be trivially searched and parsed with standard UNIX tools such as grep, awk, cut and sed. It supports wireless (AP_DLT_IEEE802_11) networks. ** analyzers ** this set of Bash scripts help you to analyze quickly the logs of cookiesniffer. ** cookieserver ** with cookieserver you can impersonate the cookies of someone else in your browser using the logs of cookiesniffer (in few seconds). This attack is also called "side-jacking", "cookie replay attack" and "HTTP session hijacking" but probably I'm missing other fancy names. This is something known from ten years but that is still (too much) effective. This project is released under license GPL version 2. Download: http://xenion.antifork.org/cookietools/index.html A list of public vulnerable web services is available here: http://xenion.antifork.org/cookietools/lista/index.html If you know other vulnerable services, mail me and i'll add them to the VULN list. If you know some not vulnerable services, mail me and i'll add them to the SECURE list. Use "COOKIETOOLS LISTA" as subject to skip my spam filters. why HTTPS is not the default in this type of services? this is a big silent hole. maybe, today is less silent :) Cheers, -- Michele Dallachiesa 'xenion' http://xenion.antifork.org Antifork Research, Inc. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists