SideJacking – Stealth WiFi Attack

SideJacking is about sniffing HTTP traffic and cloning whatever cookiesOne new word I learned this year from the BlackHat conference is SideJacking.You are vulnerable to this attack whenever you are using a public WiFi hotspot to access your unencrypted HTTP applications (such as webmail) as demonstrated by Robert Graham ,CEO Errata Security .

SideJacking is about sniffing HTTP traffic and cloning whatever cookies are exchanged between the browser and the server. In this way, the attacker can clone your session IDs and eventualy they can hijack your account.

What’s truly scary is how stealth the whole process is : because of the way HTTP works, the server has no way to tell the difference between legit requests and cloned requests. This way you might get the suprise to see some new emails in the "Sent" folder of your webmail and it’s virtually impossible to deny the fact that you sent those emails.

The attack is carried out using a custom made sniffer called Ferret which dumps session data to a file. Hamster is the second tool which reads the Ferret dump and opens up a local proxy which enable you to sidejack  any sniffed session.

This I would call a nice Man-in-the-Middle attack 🙂   The tools are released freely on the author’s blog.



Thank you for reading this post. You can now Read Comments (4) or Leave A Trackback. Print This Post Print This Post

4 Responses to “SideJacking – Stealth WiFi Attack

  • 1
    dre
    August 16th, 2007 13:09

    Evil Twin is a better attack and has been known for quite some time. There are many tools to inject or read cleartext data off of any wired or wireless transmission or insert yourself as MITM or MITB.

    If the website is intelligent, they will make sure that any real transactions (setting a new password, changing an email address, anything involving a purchase, etc) require the full 2FA or MFA.

    If you think about it, cookie poisoning is similar to ARP poisoning, parameter tampering (a cookie is just a parameter in the HTTP header) or any other spoofing breach of confidentiality and non-repudiation.

  • 2
    Dragos Lungu
    August 16th, 2007 13:35

    Actually you don’t need to run another fake AP like the Evil Twin attack . All you need to do is hook up to the public (crowded) AP and start sniffing. It’s a lot easier.

    Apart from SSL / VPN, you are right, applications should require 2FA at least for sensitive operations.

    I doubt however that (free) webmail apps will integrate 2FA anytime soon and I’ve seen more than once confidential data sent by yahoo / gmail 🙂

  • 3
    Jordan
    August 16th, 2007 13:50

    I gotta say, that topic is pretty under-whelming to me. Was anybody really surprised at this result? Of course people use plain text and on open wifi networks their credentials (session cookies or otherwise) are often vulnerable. Hardly new or exciting.

    A whole new term: “sidejacking”? This is /not/ an attack worthy of a new name. 🙂

    VPN first, change your bookmark to https://gmail.google.com/ any number of easy ways to not get caught.

  • 4
    Researcher
    August 27th, 2007 19:35

    @Jordan: The “https” recommendation for not getting sidejacked isn’t necessarily a good solution. See this article.


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge