Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IE7 add-on

from [Shaon Diwakar] Network Security [Permanent Link]
Subject: Re: IE7 add-on
Date: Sun, 10 Feb 2008 15:59:56 -0800 (PST) 
Hi Jason,

Maybe I've mis-understood, but from the information given I'm not sure if that 
constitutes a man in the middle attack. What's probably happening is that the 
browser is re-sending the session cookie to the server and since the session 
hasn't timed-out yet the site gets reloaded within the other tab.

A man in the middle would mean that some how someone malicious is stealing your 
cookie whilst its being transmitted from your PC to the server. If you bank is 
using SSL and there is a proxy in between - then your browser should complain 
or give you a warning asking if you'd like to proceed... 

I guess if you are concerned that its loading sites from other tabs - then its 
more likely a feature bug rather than an inherent security problem in itself?

Cheers


----- Original Message ----
From: "jason_jones98@hotmail.com" <jason_jones98@hotmail.com>
To: pen-test@securityfocus.com
Sent: Friday, 8 February, 2008 1:34:00 AM
Subject: IE7 add-on

Hi.

I have just loaded the ie7 add-on 'open-last-tab', has anyone else had a play 
with this? From initial results i have found this to be a great 
'man-in-the-middle' attack tool.

Example on Bank site(no-names):

Log into your bank, open another tab within the window i.e. google. Close the 
banking tab, hit Alt-X and the 'logged-in' banking window re-opens. I have also 
attempted this on other applications and the majority work. Can someone advise 
if M$ have provided us with a great MITM plug-in tool? 


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Suspecious JPEG Files, tclahr
Next by Date:  Brute force Remote Desktop, barcajax
Previous by Thread:  Re: IE7 add-on, Dave Howe
Next by Thread:  maltego yahoo api key, Robin Wood
Indexes:  [Date] [Thread] [Top] [All Lists]