Pen-testing Cookie Cadger continues where Firesheep left off

When the Firesheep extension was revealed to the world in late 2010, its developer said that his main goal was to get sites to switch to full end-to-end encryption, i.e. SSL.

Since then, many big sites such as Twitter, Facebook, Hotmail and others have either turned on HTTPS by default or have given the option to its users to switch it on.

Having partially achieved his goal, Butler hasn’t bothered with updating the extension, which hasn’t worked since Firefox 3.x.

Still, there are other developers who have taken up the torch, and among them is Matthew Sullivan, a graduate student in the Information Assurance and Computer Engineering departments at Iowa State University, who on Sunday presented his “Cookie Cadger” to the crowd assembled at this year’s DerbyCon.

“Cookie Cadger is a graphical utility which harnesses the power of the Wireshark suite and Java to provide a fully cross-platform, entirely open-source utility which can monitor wired Ethernet, insecure Wi-Fi, or load a packet capture file for offline analysis,” Sullivan explains on the program’s official website.

It’s an open source pen-testing tool made for intercepting and replaying specific insecure HTTP GET requests into a browser.

You can download the app immediately if you are prepared to pay at least $10 (the proceeds go to Hackers for Charity), or you can wait a few weeks and download the source code for free.

The tool works on Windows, Linux, or Mac, and requires Java 7 and “tshark” – a utility that’s part of the Wireshark suite.

“Additionally, to capture packets promiscuously requires compatible hardware. Capturing Wi-Fi traffic requires hardware capable of monitor mode, and the knowledge of how to place your device into monitor mode,” Sullivan adds, and points out that the software is still in beta, so issues and bugs are likely.