MouseOverJacking attacks

["MustLive" <mustlive () websecurity com ua>]

Hello participants of Full-Disclosure.

Recently, 26th of December 2009, I wrote the article MouseOverJacking
attacks (http://websecurity.com.ua/3807/), and today I
wrote English version of it (http://websecurity.com.ua/3814/).

Last year I made an announcement of MouseOverJacking - at 12.12.2008 in WASC
Mailing List
(http://www.webappsec.org/lists/websecurity/archive/2008-12/msg00062.html),
and at 17.12.2008 at my site. But only now I found time to write an article
about it.

MouseOverJacking - it’s a new kind of attacks on web browsers, developed by
me in September 2008. These attacks can be used for using of different
vulnerabilities in browsers or web sites, where pointing of mouse cursor at
an object is needed. And so with help of MouseOverJacking technique it’s
possible to intercept cursor’s move and to conduct an attack.

In article Clickjacking Details RSnake wrote about this attack vector. But I
first gave example of this attack vector a month before (yet before first
announcement of Clickjacking). Besides, he described very briefly this
attack vector, which required separate article, which I did in my article.

Table of contents:

1. The idea of MouseOverJacking attacks.
2. Possibilities of using of MouseOverJacking.
3. XSS attacks with using of onMouseOver event.
4. DoS attacks on browsers.
5. Other attacks at pointing of cursor.
6. Examples of MouseOverJacking attacks.
7. Protection from MouseOverJacking.

You can read the article MouseOverJacking attacks at my site:
http://websecurity.com.ua/3814/

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/