Billy Rios, application security extraordinaire, posted commentary on Sandro Gauci’s paper entitled “Surf Jacking – HTTPS will not save you.” It’s based on an attack called “Side Jacking” that was introduced during the 2007 BlackHat conference. Essentially, this type of attack allows someone to hijack a web session which would give them access to your account on a particular website.

Branden… In English please…

Ok, so let’s say you make use of some stretch time that the office gives you (assuming they know about it), and head down to the coffee shop of your choice to get a nice fresh cuppa. You bring your laptop with built-in WiFi with the full intention of working on that presentation for Johnson. That guy can’t seem to finish any of his work, and you get stuck cleaning up the mess. The only way you can deal with this kind of crap is to change your surroundings.

So you order that Triple Venti Carmel Macchiato with a dousing of cinnamon and two (not one, not three) mint leaves because it is your guilty pleasure and the guys from work are not within earshot to rip me endlessly for it until I curl up in the corner, sobbing quietly while looking for my blankey.

Anyway… so you pop open your laptop and there Johnson’s presentation sits. Flipping through the cluttered and incomplete slides makes it hard to keep your drink down, so you decide to log into your bank account and see if you have enough reserves to take a sudden unpaid vacation. You hop onto the free WiFi that is so graciously offered by the coffee shop, and proceed to log in. Of course, your bank is smart and uses SSL to secure your connection, but someone was lazy when they coded the application and forgot to make the cookies secure.

No, not the biscotti that you have been gnawing on, a web cookie. Web applications often use cookies to identify different user sessions. That way, John Doe does not get John Q. Public’s information (how embarrassing).

So now, we have unsecured cookies traveling back to the client! “But Branden,” you protest, “all of the data is wrapped in SSL? What’s the worry?”

According to Gauci, the cookie could be retrieved if you look at your bank account and open a new browser window to book travel to AnywhereButHereistan. Simply opening a new window to a non-secure site opens the possibility for an attacker nearby to inject an HTTP Redirect (302) message that will then transmit that session cookie in the clear!

Now the attacker copies the cookie, drops it into his browser, and takes over your session! YIPES!

Rios points out that this is a very simple fix (use the secure flag), but lazy development and poor security review in the SDLC promotes security vulnerabilities like this one. If this is not addressed early in the development process, Rios points out that you could get coded into a corner and have a major rewrite on your hands.

At any rate, those of you who have been solely relying on SSL (or EV-SSL) to ensure your web applications are secure, you should consider having someone like VeriSign’s ESS do a security review of those applications to ensure flaws like this don’t leave your customers screaming!

This post originally appeared on

Possibly Related Posts: