Owning the Users with The Middler

Expo Theatre (Hall G) October 21, 2008 - Feedback     

Bookmark and Share

Jay Beale

This talk introduces a new open source, plugin-extensible attack tool for exploiting web applications that use cleartext HTTP, if only to redirect the user to the HTTPS site. We’ll demonstrate attacks on online banking as well as Gmail, LinkedIn, LiveJournal and Facebook. We’ll also compromise computers and an iPhone by subverting their software installation and update process. We’ll inject Javascript into browser sessions and demonstrate CSRF attacks.

Our new tool, The Middler, automates these attacks to make exploiting every active user on your computer’s network brain-dead easy and scalable. It has an interactive mode, but also has a fire-and-forget mode that can perform these attacks automatically without interaction. Written in Python, this tool is easy to both extend and add into other tools.