The exploit is basically XSS but its actually called XST (Cross-site tracing), all sites are vulnerable unless the track/trace methods are disabled. To execute the exploit your going to have to get a browser with the capability to run this, as most browsers have implemented features to disable execution of the exploit (such as Firefox, IE, Netscape, etc). So basically to have this run successfully the user you are trying to get cookies off would have to be running an old version of Firefox, IE or even any version of opera or safari. Here's a little site to give some more insight, I'm sure its still exploitable if a proper exploit is coded for new applications.