Reconsidering The Side-jacking Attack

Sun, 17 Feb 2008 17:11:19 GMT

Not that long time ago, I've made some comments on Robet Graham's side-jacking attack. Clearly, my reasoning was based upon the his PowerPoint slides but not his BlackHat presentation, where he is more then clear about the motivation behind his work. I've become part of the senseless bashing masses, which are currently haunting the hacker circles. Therefore, I would like to make things right once and for all on this particular topic.

Although Robert's research comes down to sniffing the air and extracting cookies from unencrypted HTTP session, which is not in particular new, I consider his work very innovative, simple but very powerful. He clearly improved upon an area which no one was looking at the time of his presentation and he made a serious impact on the overall user awareness. The most interesting part of the side-jacking attack is not the concepts that it involves but the types of tools it makes use of. I can see that Robert is very clear about that, after previewing his BlackHat talk. The Hamster and Ferret tools have introduced a new era of tool design many future project will probably incorporate. Simply put, these tools make the process easier and this is quite important in many, many ways.

My judgment was based upon entirely on what I would like to refer to as the new factor. We, as a community, are keen to appreciate innovation but fail to see when it is not obvious. This statement may sound controversial but it is not far from the truth. Bugs are discovered on a daily basis but yet we are most interested to read about them rather then look for the small changes that make big impacts. I hope that we change this type of thinking one day and embrace a bit more of the creative spirit, the spirit that is not restricted by any boundaries, false believes and mostly prejudice.

Open your eyes and clear your mind.

I'm confused here, writing a tool that doesn't need to be written since you can do the same with existing tools is now innovation? You've got to be kidding me... Sure, writing a point and click tool that replaces some semblance of knowledge of what you're doing improves upon the exploitability of something by incompetents, but it's not particularly noteworthy. The recent addition to what they found, i.e. that Gmail fails open when it can't connect via SSL, is interesting in a "this is a great example of how not to write software" way, but is still just a single bug... P.S. The whole topic of discussion is pretty worthless considering almost everyone who does web stuff knew about this problem before and we have the secure attribute on cookies to prevent this exact issue.
kuza55, before Metasploit there were tones of other tools that did practically the same. Before BackTrack there was Knopix. And before Hamster and Ferret it was mostly dsniff. As I've mentioned in the article, the concepts are not innovative. If you watch Robert's talk you will see that he is quite clear about that as well. Within his presentation, it was mentioned more then once that it is about the tools or at least the combination of them: proxy + sniffer + packet content analyzer - something that was not available before that. Ferret and Hamster is for sniffing like Metasploit for exploits. It is innovation, because the next generation of hacker sniffing tools will concentrate on getting the most of the captured data without wasting too much time. And yes, it is an innovation! But in order to prove that I've picked the right words, let me quote how innovation is defined by several sources:
  • A creation (a new device or process) resulting from study and experimentation.
  • Introduction of a new idea into the marketplace in the form of a new product or service, or an improvement in organization or process.
  • The use of a new technology, item, or process to change what goods and services are provided, the way they are produced, or the way they are distributed.
  • The creation, development and implementation of a new product, process or service, with the aim of improving efficiency, effectiveness or competitive advantage. Innovation may apply to products, services, manufacturing processes, managerial processes or the design of an organization.
  • etc...
on another note, WiFi hacking is the most easiest way to get into corporate networks. I am speaking from personal experience by looking at all pentest I have performed in the past and also by considering every single emergency response I have encountered. It is too bad that all this knowledge cannot be shared due to various forms of NDAs I've signed. I was one of the first to comment on Robert's talk but I can clearly see now that judging others for what they do is pointless. You will never reach to the same conclusions unless you put yourself in their shoes.
Fine, I'll accept that it's innovation by that definition, but then I don't particularly care about innovation. I care about new ideas. Maybe there's a specific term for that I should start using instead. I'm not trying to say the tool sucks or anything; just that it's generated waaaay more attention than it deserves.
yep it did and it has raised the user awareness...