0

I've recently been reading on session cookies and how they can be hijacked via man-in-middle attacks. It seems this is mainly possible on an unencrypted connection between a client and a webserver.

However, I cannot figure out why, if one is already 'in the middle' of an unencrypted connection, would one prefer to capture the cookie instead of the username & password - a more valuable resource - which should also be sent in plaintext?

Islay
  • 478
  • 4
  • 17
  • You *may* be able to - but to be generic, who says that a username and a long standing, complete, password were used to create the session - maybe a one-time password of some form was used. Maybe the user only had to supply certain letters from their password, etc. – Damien_The_Unbeliever Oct 30 '14 at 08:01
  • @Damien_The_Unbeliever: Ah, that's understandable. But in the case of people logging in to their accounts from scratch, would it be fair to assume that if one is able to capture their session cookie their username and password should be equivalent in ease-of-capture? – Islay Oct 30 '14 at 08:04

1 Answers1

1

Stealing cookie is the easiest way to account hijacking.

  • unencrypted traffic does not mean that data is plain-text form. Especially mobile applications are using encryption methods on data before send it. For this reason, you will not be able to get username/password even if you doing MITM attacks.
  • You don't know clients are authenticated or not. Therefor when you start MITM attacks, you can't be sure all of your target are going to enter their username/password.
  • What about 2 factor authentication mechanism ? If you try to steal username/password rather than cookie value. How you planning to log-in 2 factor authentication enabled accounts ?
Mehmet Ince
  • 1,298
  • 9
  • 20