Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How do you set a cookie on a domain you do not control? Won't the browser only send cookies to a server on the domain you are trying to browse to?

EDIT: found it - not any, arbitrary site can be DOS

"Who can be cookie-bombed? Blogging/hosting/website/homepage platforms: Wordpress, Blogspot, Tumblr, Heroku, etc."



- "If you're able to execute your own JS on SUB1.example.com it can cookie-bomb not only your SUB1 but the entire *.example.com network, including example.com"

So you've got to be able to execute JS in a subdomain to plant a cookie bomb that will affect the entire domain.


This is for domains that serve user-provided Javascript, such a blog hosts and GitHub.


Who can be cookie-bombed? Blogging/hosting/website/homepage platforms: Wordpress, Blogspot, Tumblr, Heroku, etc.

WordPress.com would not be vulnerable since users cannot upload or execute arbitrary JavaScript.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: