Thanks for your feedback.

These types / kinds of attacks are not new

Don’t confuse it with general XSS attacks with event handlers, because it’s different things. I wrote about it in the article - look at the paragraph “The difference between common attack with using of onMouseOver event and MouseOverJacking attack”.

I’ve been using them for perhaps over a year now and I call / name it: “XSS with EventHandlers”

I’m using XSS via event hadlers for many years (first time I mentioned at my site about such XSS regarding holes at cenzic.com and picosearch.com), but MouseOverJacking is different type of attacks. MouseOverJacking is automated attacks, while XSS via event hadlers is not (in most cases). MouseOverJacking uses both XSS holes (via onMouseOver) and special ways to make attack fully automated - to make it comparable to attacks via styles.

In cases where has only been “blocked” by f.ex. preg_replace

As I mentioned, the idea is to make attack fully automated. And as I mentioned in this article and in comments to The future of XSS attacks article, for MouseOverJacking there are other attack vectors besides XSS (such as DoS, CSRF and others).

In HTML5 it’s possible to use more onerror-eventhandlers due to more tags supports them.

Thanks for mentioning, I’ll look at HTML5 specification (at new onerror-eventhandlers). But for now only some browsers support HTML5. So mouseover is only event which allows to make cross-browser and automated attacks with using of MouseOverJacking technique.

In cases where has only been “blocked” by f.ex. preg_replace (seen in many cases), is just one of my favorite working examples of getting an alert box still.

In many other cases, I was inside tags like search-fields that would be located on a site where it would be almost virtually impossible not to mouse-over and thereby I used the “onmouseover” eventhandler.

In case there’s “auto-focus” on this search-field that I am talking about, the eventhandler known as “onblur” can also be used.

To conclude it all: It’s just a matter of how you can apply your knowledge with the current features of the browser you’re using to exploit a website with Cross Site Scripting.

In HTML5 it’s possible to use more onerror-eventhandlers due to more tags supports them.

Best regards,
MaXe - Founder of InterN0T

is impossible to understand your article

I wrote this article (translated from Ukrainian) as good as I can. So I am sorry, if it’s hard for you to understand this article. You can try to read my other articles (their English versions) in case if other ones will be better for you to understand.

the attack is not interesting

I don’t think so. For me it’s interesting technique which can be used for different attacks (as I wrote). For this reason I wrote my article. But it’s your own decision if this attack technique is interesting for you.

Show step by step real examples or you are just pretneding to find something new.

In “Examples of MouseOverJacking attacks” part of the article I showed real examples. What is incomprehensible for you in those examples?

You need to save those examples to new html files at your computer and run to see the result. For example of DoS attack on Google Chrome you need old version (Chrome 0.2.149.27) to see the DoS (crash of the browser). For example of XSS attack you need any browser - it works in any current browsers (I tested in my five browsers).