Ergebnis 1 bis 6 von 6

Baum-Darstellung

  1. 02.11.2015, 11:05 #4
    rax
    rax ist offline
    Fortgeschrittener
    Registriert seit
    08.04.2015
    Beiträge
    32

    Standard AW: HSTS Timing Attacke

    Fand dazu einige Kommentare im BugTracker von Mozilla ganz intressant:
    chris hofmann 2013-05-05 18:15:30 PDT
    re: comment 280 and timing attacks on cached page elements.

    Looks like Michal Zalewski has done some more research in this area. He posted this to the Wasc list just now. It this worthwhile spinning off another bug?

    As you probably know, most browser vendors have fixed the ability to
    enumerate your browsing history through the CSS :visited
    pseudo-selector. The fix severely constraints the styling possible for
    visited links, and hides it from APIs such as
    window.getComputedStyle() [1].

    The fix does not prevent attackers from extracting similar information
    through cache timing [2], or by examining onerror / onload events for
    scripts and images loaded from sites to which you may be logged in.
    Nevertheless, the :visited attack is particularly versatile and
    reliable, so several people have tried to circumvent the fix by
    showing the user a set of hyperlinked snippets of text that, depending
    on the browsing history, will blend with the background or remain
    visible on the screen. Their visibility can be then indirectly
    measured by seeing how the user interacts with the page.

    The problem with these attacks is that they are either unrealistic, or
    extremely low-throughput. So, here is a slightly more interesting
    entry for this contest. The PoC works in Chrome and Firefox, but
    should be easily portable to other browsers:

    http://lcamtuf.coredump.cx/yahh/

    The basic idea behind this inferior clone of Asteroids is that we hurl
    a lot of link-based "asteroids" toward your spaceship, but you only
    see (and take down) the ones that correspond to the sites you have
    visited. There are several tricks to maintain immersion, including
    some proportion of "real" asteroids that the application is sure are
    visible to you. The approach is easily scalable to hundreds or
    thousands of URLs that can be tested very quickly, as discussed here:

    http://lcamtuf.blogspot.com/2013/05/...-with-css.html

    Captain Obvious signing off,
    /mz

    [1] https://developer.mozilla.org/en-US/docs/CSS/:visited
    [2] http://lcamtuf.blogspot.com/2011/12/...overrated.html
    Quelle: https://bugzilla.mozilla.org/show_bug.cgi?id=147777

    Ist zwar alt und unpraktikabel, aber der PoC Code ist kreativ und funktioniert noch immer

    Update:
    http://lcamtuf.coredump.cx/cachetime/ funktioniert auch erstaunlich gut, wenn man die Linkliste anpasst.
    @lcamtuf hat sowieso ein paar intressante Beiträge zu dem Thema.
    Geändert von rax (02.11.2015 um 11:25 Uhr)
    Zitieren Zitieren

  2. Folgende Benutzer haben sich für diesen Beitrag bedankt:

    Cystasy (02.11.2015)
« Vorheriges Thema | Nächstes Thema »

Ähnliche Themen

  1. Ram Timing falsch?
    Von boehser enkel im Forum Hardware
    Antworten: 2
    Letzter Beitrag: 03.11.2011, 21:04
  2. [B] Dos Attacke via php Webspace
    Von Helix im Forum Video-Tutorials
    Antworten: 39
    Letzter Beitrag: 12.08.2008, 21:38

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •  

Foren-Regeln