[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
- To: Gage Bystrom <themadichib0d@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Predefined Post Authentication Session ID Vulnerability
- From: Douglas Huff <mith@xxxxxxxxxxxxxx>
- Date: Fri, 13 Jul 2012 13:27:33 -0500
On Jul 13, 2012, at 13:24, Gage Bystrom <themadichib0d@xxxxxxxxx> wrote:
> Well if I understand Tim correctly you wouldn't need a CA. In the attack he
> mentioned not once do you ever actually look at the ssl content. He's talking
> about redirecting them to plain http and then setting the session cookie and
> redirecting them back.
>
You're right. I misread slightly. Same tool would still work just scrap the ca
comment. :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/