Sorta - you are still bound to the same origin policy, however there are some tricks.
If someone goes to www.abc.com but I'm really after some sensitive info on www.xyz.com I can, instead of letting them see www.abc.com, I can show them something else and deliver www.abc.com with an iframe pointing to www.xyz.com. Now, I own www.xyz.com because I'm a MITM and now I can inject my own JS on that site.
The beauty here is that lots of people think "Wow - SSL, I'm safe" well, that's only true if you're already in an SSL session. Because most people go to http before their browser is redirected to https and because I am a man in the middle, I don't have to let them redirect. That's less useful than it sounds because cookies don't work from protocol to protocol, but it's great for MITM phishing. Remember too, you can also take over their https service if you aren't afraid of giving them a little warning message. Most people ignore it anyway.
I should also point out that Dave Maynor and Rob Thomas and I have been working on this concept for some time regarding ferrit. They are doing most of the work - I'm just the coach on the sideline telling them how cool it would be to beef up airpwn for this purpose. No ETA on the version that would do this, but I haven't talked to them in a while about this (since Blackhat actually).
- RSnake
Gotta love it.
http://ha.ckers.org
Edited 2 time(s). Last edit at 01/10/2008 11:23AM by rsnake.
