When logging into a website you usually start by submitting your username and password to the site. The server that powers that website then checks them to see if there is a matching account, and replies back with a “cookie” used by your browser for all subsequent requests. It’s vitally important that this login info is protected by encryption over SSL. Or it will leave the cookie and user vulnerable to HTTP session hijacking. On an open public wireless network, cookies are basically shouted through the air. If not over a SSL encrypted layer, those cookies can be easily sniffed by anyone one on the same network.
The rule of thumb to prevent this from happening is never enter your username and password over a plain HTTP session. Simply walk away if you don’t see https in the url. However, it’s hard to tell if an internet connection is secure over an application because you don’t get to see the actual url used to transfer your login info.
Cookie Cadger, a free open source project, is an auditing tool for both wireless and wired network connections to help identify information leakage from applications utilize the insecure plain HTTP Get request. It utilizes the power of the Wireshark suite and is coded in Java to provide a fully cross-platform.
To use Cookie Cadger, you will need to download and install Wireshark for Windows, which is also free, on your computer first. And download the Cookie Cadger JAR file, and double-click the file to directly run it.
The tool will first check and list all network adapters installed on the computer. You will then be able to select any of them to start the capturing process. You can also run multiple instances to monitor the traffic over different adapters, if you have more than one adapters installed. All captured data are stored in a back-end MySQL database, or can be saved and to be opened to replay later on through the same program.
What’s interesting is that the captured packets can be replayed on the browser through Cookie Cadger. You can even modify the header first before launch the replay request.
I haven’t had a chance to run Cookie Cadger extensively so I don’t have much to share in terms of how to effectively identify the flaw and leakage from the data captured. If anyone find this interesting and have put a great effort to have the first hand experience to use it, please feel free to share.