[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e70efcd55d9e81768ebb1541a4e87da3@mail.ankalagon.ru>
Date: Thu, 26 May 2011 00:00:33 +0400
From: Владимир Воронцов
<vladimir.vorontsov@...ec.ru>
To: Rosario Valotta <valotta.rosario@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cookiejacking attack technique
Great work!
Technique can be used to stealing any data.
In example, content from remote iframes.
And from any local file, i.e. browser cache, configs and other.
But there is problem to open urls in file:// zone from http:// zone.
Recently i founded Chrome vuln, which provide that.
See https://docs.google.com/present/view?id=dcm4kmp7_18w8945rdw slides
20-23.
In your work, you say about redirect in IE9, but it is didn't work for me
(9.0.8112.16421).
If it is possible to open file:// from http:// in IE9, then possible to
stealing any local file without user actions :)
On Wed, 25 May 2011 00:17:21 +0200, Rosario Valotta
<valotta.rosario@...il.com> wrote:
> Hi,
> last week, in two security conferences I showed a new attack technique
> called Cookiejacking that allows to steal session cookies without any
XSS
> vulnerability.
>
> https://www.swisscyberstorm.com/speakers/valotta
> http://conference.hackinthebox.org/hitbsecconf2011ams/?page_id=1388
>
> All previous approaches on the same topic used at least an XSS or a Man
in
> the middle attack (eg Firesheep) to steal cookies.
> In this approach I use a 0-day vulnerabilty affecting all versions of IE
on
> every Windows OS and an advanced Clickjacking attack in order to trick
> users
> in dragging & dropping their cookies.
>
> You can steal any cookie (http only, secure cookies, whatever the
website)
> of every Win user!
>
> If it is interesting, on my blog you can find a writeup and a couple of
> videos.
> https://sites.google.com/site/tentacoloviola/cookiejacking
>
> Regards
>
> Rosario Valotta
--
Best regards,
Vladimir Vorontsov
ONsec security expert
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists