[WEB SECURITY] Cookiejacking attack technique

Ivan Buetler ivan.buetler at csnc.ch
Fri May 27 11:43:51 EDT 2011

For your information. The talk of Rosario at Swiss Cyber Storm 3 in
Switzerland plus his slides are now online





From: websecurity-bounces at lists.webappsec.org
[mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Rosario
Sent: Mittwoch, 25. Mai 2011 00:14
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] Cookiejacking attack technique



last week, in two security conferences I showed a new attack technique
called Cookiejacking that allows to steal session cookies without any
XSS vulnerability.





All previous approaches on the same topic used at least an XSS or a Man
in the middle attack (eg Firesheep) to steal cookies.

In this approach I use a 0-day vulnerabilty affecting all versions of IE
on every Windows OS and an advanced Clickjacking attack in order to
trick users in dragging & dropping their cookies.


You can steal any cookie (http only, secure cookies, whatever the
website) of every Win user.


On my blog you can find a writeup and a couple of videos.





Rosario Valotta



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110527/e3aba91b/attachment-0003.html>

More information about the websecurity mailing list