Full Disclosure mailing list archives
Cookiejacking attack technique
From: Rosario Valotta <valotta.rosario () gmail com>
Date: Wed, 25 May 2011 00:17:21 +0200
Hi, last week, in two security conferences I showed a new attack technique called Cookiejacking that allows to steal session cookies without any XSS vulnerability. https://www.swisscyberstorm.com/speakers/valotta http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388 All previous approaches on the same topic used at least an XSS or a Man in the middle attack (eg Firesheep) to steal cookies. In this approach I use a 0-day vulnerabilty affecting all versions of IE on every Windows OS and an advanced Clickjacking attack in order to trick users in dragging & dropping their cookies. You can steal any cookie (http only, secure cookies, whatever the website) of every Win user! If it is interesting, on my blog you can find a writeup and a couple of videos. https://sites.google.com/site/tentacoloviola/cookiejacking Regards Rosario Valotta
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cookiejacking attack technique Rosario Valotta (May 24)
- Re: Cookiejacking attack technique Владимир Воронцов (May 25)
- Re: Cookiejacking attack technique Rosario Valotta (May 25)
- Re: Cookiejacking attack technique Владимир Воронцов (May 25)