Full Disclosure mailing list archives
MouseOverJacking attacks
From: "MustLive" <mustlive () websecurity com ua>
Date: Tue, 29 Dec 2009 23:48:34 +0200
Hello participants of Full-Disclosure. Recently, 26th of December 2009, I wrote the article MouseOverJacking attacks (http://websecurity.com.ua/3807/), and today I wrote English version of it (http://websecurity.com.ua/3814/). Last year I made an announcement of MouseOverJacking - at 12.12.2008 in WASC Mailing List (http://www.webappsec.org/lists/websecurity/archive/2008-12/msg00062.html), and at 17.12.2008 at my site. But only now I found time to write an article about it. MouseOverJacking - it’s a new kind of attacks on web browsers, developed by me in September 2008. These attacks can be used for using of different vulnerabilities in browsers or web sites, where pointing of mouse cursor at an object is needed. And so with help of MouseOverJacking technique it’s possible to intercept cursor’s move and to conduct an attack. In article Clickjacking Details RSnake wrote about this attack vector. But I first gave example of this attack vector a month before (yet before first announcement of Clickjacking). Besides, he described very briefly this attack vector, which required separate article, which I did in my article. Table of contents: 1. The idea of MouseOverJacking attacks. 2. Possibilities of using of MouseOverJacking. 3. XSS attacks with using of onMouseOver event. 4. DoS attacks on browsers. 5. Other attacks at pointing of cursor. 6. Examples of MouseOverJacking attacks. 7. Protection from MouseOverJacking. You can read the article MouseOverJacking attacks at my site: http://websecurity.com.ua/3814/ Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MouseOverJacking attacks MustLive (Dec 30)
- Re: MouseOverJacking attacks Andrew Farmer (Dec 30)