[asmithmd1]

How do you set a cookie on a domain you do not control? Won't the browser only send cookies to a server on the domain you are trying to browse to?

EDIT: found it - not any, arbitrary site can be DOS

"Who can be cookie-bombed? Blogging/hosting/website/homepage platforms: Wordpress, Blogspot, Tumblr, Heroku, etc."

[tcgv]

- "If you're able to execute your own JS on SUB1.example.com it can cookie-bomb not only your SUB1 but the entire *.example.com network, including example.com"

So you've got to be able to execute JS in a subdomain to plant a cookie bomb that will affect the entire domain.

[jmillikin]

This is for domains that serve user-provided Javascript, such a blog hosts and GitHub.

[cfinke]

Who can be cookie-bombed? Blogging/hosting/website/homepage platforms: Wordpress, Blogspot, Tumblr, Heroku, etc.

WordPress.com would not be vulnerable since users cannot upload or execute arbitrary JavaScript.