Google! DONT BE EVIL!
Q: What is Cookiejacking?
A: Cookiejacking is a UI redressing attack that allows an attacker to hijack his victim’s cookies without any XSS.
Q: How the hell is possible to steal cookies without a XSS? are you using Firesheep?
A: Cookiejacking leverages on two main issues:
a 0-day vulnerability affecting every IE version on every Windows OS box
an advanced Clickjacking approach
Q: Tell me about the 0-day…
A: IE defines Security zones; they are a proprietary mechanism that allow users to group websites according to their source’s trust. From a theorical point of view a site assigned to a less-privileged zone (e.g. Internet zone) could not interact with a site/content assigned to a more-privileged zone (e.g. local files on your pc). This is called “Cross zone interaction policy”.
Q: And does it work?
A: You can bet. But you need to solve a couple of issues first…
Q: Tell me more..
A: First of all, cookies file system path depends on Windows username, so you need to guess your victim’s username before starting the attack.
You can sniff your victim’s username by exploiting a feature of IE: by using IE you can access remote SMB resources using UNC paths to reference them. You can do this without restriction in Internet and Intranet zones.
So, if you force your victim’s browser to retrieve a resource like [cc lang=”html”][/cc] it will start a NTLM challenge-response negotiation with the remote server and, as a part of this negotiation, it sends Windows Username in clear plain text.
So you can just use a script to sniff data on TCP port 445 in order to grab the username.
Q: Wow, what’s next?
A: You also need to know which OS version is the victim running, as different OSs store cookies in different folders. But you can guess this by parsing the navigator.userAgent object.
Q: Ok, so knowing the cookie folder and the victim username you can properly set the iframe source, but how can you trick your victim to drag&drop the cookie?
A: I use a Clickjacking approach: the iframe is hidden (opacity=0) but with a given z-index (eg. 1). I overlap some appealing content on the iframe (z-index=0, opacity=100) and I ask my victim to drag it somewhere around the screen. Have a look at this video…
A must read article.
1st Presentation: here
2nd Presentation: here
Source and author: here