lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Dec 2009 23:48:34 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: MouseOverJacking attacks

Hello participants of Full-Disclosure.

Recently, 26th of December 2009, I wrote the article MouseOverJacking
attacks (http://websecurity.com.ua/3807/), and today I
wrote English version of it (http://websecurity.com.ua/3814/).

Last year I made an announcement of MouseOverJacking - at 12.12.2008 in WASC
Mailing List
(http://www.webappsec.org/lists/websecurity/archive/2008-12/msg00062.html),
and at 17.12.2008 at my site. But only now I found time to write an article
about it.

MouseOverJacking - it’s a new kind of attacks on web browsers, developed by
me in September 2008. These attacks can be used for using of different
vulnerabilities in browsers or web sites, where pointing of mouse cursor at
an object is needed. And so with help of MouseOverJacking technique it’s
possible to intercept cursor’s move and to conduct an attack.

In article Clickjacking Details RSnake wrote about this attack vector. But I
first gave example of this attack vector a month before (yet before first
announcement of Clickjacking). Besides, he described very briefly this
attack vector, which required separate article, which I did in my article.

Table of contents:

1. The idea of MouseOverJacking attacks.
2. Possibilities of using of MouseOverJacking.
3. XSS attacks with using of onMouseOver event.
4. DoS attacks on browsers.
5. Other attacks at pointing of cursor.
6. Examples of MouseOverJacking attacks.
7. Protection from MouseOverJacking.

You can read the article MouseOverJacking attacks at my site:
http://websecurity.com.ua/3814/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists