[WEB SECURITY] Cookiejacking attack technique
ivan.buetler at csnc.ch
Fri May 27 11:43:51 EDT 2011
For your information. The talk of Rosario at Swiss Cyber Storm 3 in
Switzerland plus his slides are now online
From: websecurity-bounces at lists.webappsec.org
[mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Rosario
Sent: Mittwoch, 25. Mai 2011 00:14
To: websecurity at lists.webappsec.org
Subject: [WEB SECURITY] Cookiejacking attack technique
last week, in two security conferences I showed a new attack technique
called Cookiejacking that allows to steal session cookies without any
All previous approaches on the same topic used at least an XSS or a Man
in the middle attack (eg Firesheep) to steal cookies.
In this approach I use a 0-day vulnerabilty affecting all versions of IE
on every Windows OS and an advanced Clickjacking attack in order to
trick users in dragging & dropping their cookies.
You can steal any cookie (http only, secure cookies, whatever the
website) of every Win user.
On my blog you can find a writeup and a couple of videos.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity