When you visit my website, I can automatically and silently determine if you're logged into Facebook, Twitter, GMail and Digg.....
Abusing HTTP Status Codes to Expose Private Information
Abusing HTTP Status Codes to Expose Private Information
https://grepular.com/Abusing_HTTP_Statu ... nformation
Abusing HTTP Status Codes to Expose Private Information
Good Job Flash,
We should connect this "browser spilling" to :
http://murga-linux.com/puppy/viewtopic.php?t=62391
Example:
- A curious site webmaster will visit a number of sites that he would like to know whether his own "visitors" are also viewing, like the city banks, restaurants, grocery, auto dealers, etc. They save the home page and comb them for obscure, yet unique from all the other "curious about" desired links small pics. These are then obliquely loaded into his own website, and they wait.
- Someone visits the "curious" site, now the "misc pic files" load from his site or the browser cache, revealing where the browser "goes to" or doesn't.
- just one way
Have G'day group
We should connect this "browser spilling" to :
http://murga-linux.com/puppy/viewtopic.php?t=62391
Example:
- A curious site webmaster will visit a number of sites that he would like to know whether his own "visitors" are also viewing, like the city banks, restaurants, grocery, auto dealers, etc. They save the home page and comb them for obscure, yet unique from all the other "curious about" desired links small pics. These are then obliquely loaded into his own website, and they wait.
- Someone visits the "curious" site, now the "misc pic files" load from his site or the browser cache, revealing where the browser "goes to" or doesn't.
- just one way
Have G'day group
Even though I'm running Javascript, he doesn't know. Not on my
computer.
1) he can't know where I came from
2) he can't know my OS or browser, worse, his site is informed I'm
running XP with IE 6
3) he can't know if I'm logged into Facebook, Twitter or Google
All this is default, preemptive for all sites, not just this one.
RequestPolicy addon prevents #3
Preferences Toolbar is set to refuse to send referrer and spoof the
OS and browser. Thus messing up #1 and #2
Yes, I strongly recommend the RequestPolicy and Preferences
Toolbar AND they are easy to use and intuitive.
See pic below showing the sites which were blocked by default.
~
computer.
1) he can't know where I came from
2) he can't know my OS or browser, worse, his site is informed I'm
running XP with IE 6
3) he can't know if I'm logged into Facebook, Twitter or Google
All this is default, preemptive for all sites, not just this one.
RequestPolicy addon prevents #3
Preferences Toolbar is set to refuse to send referrer and spoof the
OS and browser. Thus messing up #1 and #2
Yes, I strongly recommend the RequestPolicy and Preferences
Toolbar AND they are easy to use and intuitive.
See pic below showing the sites which were blocked by default.
~
- Attachments
-
- doesnt-know.png
- (17.08 KiB) Downloaded 892 times
Abusing HTTP Status Codes to Expose Private Information
Hi,
Bruce B, you have taken the critical steps of what an individual can do, 98% of the web requires Jscript to operate, crafted that way, We can admire "Bugman" for his avoiding the js.
- But any given pc or system Kernal can be discovered by the TCP/IP stack, and the assigned ISP IP geographically locates one right to a neighborhood.
Stack Fingerprinting ( EDIT 1- My apology - Old bookmarks not explored )
More info: * links are good 03-12-2011
- OLD (bad) http://www.sys-security.com/html/projects/X.html
*Replacement- http://capec.mitre.org/data/definitions/316.html
*New page- http://sourceforge.net/scm/?type=git&group_id=30984
*old Link page- http://xprobe.sourceforge.net Link page
*New Link page- http://sourceforge.net/apps/mediawiki/x ... =Main_Page
*new-link-old_page- http://xprobe.sourceforge.net/oldindex.html
*old PDF- http://xprobe.sourceforge.net/xprobe-ng.pdf
*old PDF- http://xprobe.sourceforge.net/xprobe_dsn_slides.pdf
OLD (bad) http://www.notlsd.net/xprobe/
*Replacement- http://www.phrack.com/issues.html?issue=57&id=7
- Once we click the browser, we don phosphorescent clothing covered in text.
Jay
Edit 2
Thank you Bruce B, did not understand as you surmized ;)
My system is subject to above attacks, as are most others
Edit 3
- If I was single Bugman, I'd be standing on the ol' Mustang's Loud pedal going West !!!
Well alas, 5th wife still here, the cars out of gas and so am I
-
Bruce B, you have taken the critical steps of what an individual can do, 98% of the web requires Jscript to operate, crafted that way, We can admire "Bugman" for his avoiding the js.
- But any given pc or system Kernal can be discovered by the TCP/IP stack, and the assigned ISP IP geographically locates one right to a neighborhood.
Stack Fingerprinting ( EDIT 1- My apology - Old bookmarks not explored )
More info: * links are good 03-12-2011
- OLD (bad) http://www.sys-security.com/html/projects/X.html
*Replacement- http://capec.mitre.org/data/definitions/316.html
*New page- http://sourceforge.net/scm/?type=git&group_id=30984
*old Link page- http://xprobe.sourceforge.net Link page
*New Link page- http://sourceforge.net/apps/mediawiki/x ... =Main_Page
*new-link-old_page- http://xprobe.sourceforge.net/oldindex.html
*old PDF- http://xprobe.sourceforge.net/xprobe-ng.pdf
*old PDF- http://xprobe.sourceforge.net/xprobe_dsn_slides.pdf
OLD (bad) http://www.notlsd.net/xprobe/
*Replacement- http://www.phrack.com/issues.html?issue=57&id=7
- Once we click the browser, we don phosphorescent clothing covered in text.
Jay
Edit 2
Thank you Bruce B, did not understand as you surmized ;)
My system is subject to above attacks, as are most others
Edit 3
- If I was single Bugman, I'd be standing on the ol' Mustang's Loud pedal going West !!!
Well alas, 5th wife still here, the cars out of gas and so am I
-
Last edited by efiguy on Sun 13 Mar 2011, 04:14, edited 1 time in total.
Jay have you tested the first one lately?
http://en.wordpress.com/typo/?subdomain=sys-security
wher eam I suppose to read on the second one they say they refer to the wiki but there they still refer back to the one referring to the wiki
http://sourceforge.net/apps/mediawiki/x ... =Main_Page
similar with the third one
it is says
notlsd.net (NOTLSD.NET) is for sale
http://en.wordpress.com/typo/?subdomain=sys-security
did you by any chance save the text on that page because it seems gone unless that person have it mirrrored somewhere?sys-security.wordpress.com doesn’t exist
wher eam I suppose to read on the second one they say they refer to the wiki but there they still refer back to the one referring to the wiki
http://sourceforge.net/apps/mediawiki/x ... =Main_Page
similar with the third one
it is says
notlsd.net (NOTLSD.NET) is for sale
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
Re: Abusing HTTP Status Codes to Expose Private Information
i guess this why lovely young ladies from denver occasionally want to meet meefiguy wrote:But any given pc or system Kernal can be discovered by the TCP/IP stack, and the assigned ISP IP geographically locates one right to a neighborhood.
i live about 600-700 miles from denver though . . .
Re: Abusing HTTP Status Codes to Expose Private Information
With prefbar the script can be turned on and off with a single mouse click.efiguy wrote:
Bruce B, you have taken the critical steps of what an individual can do,
98% of the web requires Jscript to operate, crafted that way, We can
admire "Bugman" for his avoiding the js.
With RequestPolicy, the only site contacted with is the site you visit. Unless
you explicitly allow specific remote sites. This permission can be
temporary or permanent.
So, on the page in question, the JavaScript ran, but the remote sites were unavailable.
I wanted to make it clear, in case it wasn't.
Abusing HTTP Status Codes to Expose Private Information
Edited - didn't trigger mail updates My apologies all <:)
Stack Fingerprinting ( EDIT 1- My apology - Old bookmarks not explored )
More info: * links are good 03-12-2011
- OLD (bad) http://www.sys-security.com/html/projects/X.html
*Replacement- [url]http://capec.mitre.org/data/definitions/316.html[/url]
*New page- [url]http://sourceforge.net/scm/?type=git&group_id=30984[/url]
*old Link page- http://xprobe.sourceforge.net Link page
*New Link page- [url]http://sourceforge.net/apps/mediawiki/x ... =Main_Page[/url]
*new-link-old_page- [url]http://xprobe.sourceforge.net/oldindex.html[/url]
*old PDF- http://xprobe.sourceforge.net/xprobe-ng.pdf
*old PDF- http://xprobe.sourceforge.net/xprobe_dsn_slides.pdf
OLD (bad) http://www.notlsd.net/xprobe/
*Replacement- [url]http://www.phrack.com/issues.html?issue=57&id=7[/url]
Edit 2
Thank you Bruce B, did not understand as you surmized ;)
My system is subject to above attacks, as are most others
Edit 3
- If I was single Bugman, I'd be standing on the ol' Mustang's Loud pedal going West !!!
But alas, 5th wife is still here, the car's out of gas and so am I
jay
-
Stack Fingerprinting ( EDIT 1- My apology - Old bookmarks not explored )
More info: * links are good 03-12-2011
- OLD (bad) http://www.sys-security.com/html/projects/X.html
*Replacement- [url]http://capec.mitre.org/data/definitions/316.html[/url]
*New page- [url]http://sourceforge.net/scm/?type=git&group_id=30984[/url]
*old Link page- http://xprobe.sourceforge.net Link page
*New Link page- [url]http://sourceforge.net/apps/mediawiki/x ... =Main_Page[/url]
*new-link-old_page- [url]http://xprobe.sourceforge.net/oldindex.html[/url]
*old PDF- http://xprobe.sourceforge.net/xprobe-ng.pdf
*old PDF- http://xprobe.sourceforge.net/xprobe_dsn_slides.pdf
OLD (bad) http://www.notlsd.net/xprobe/
*Replacement- [url]http://www.phrack.com/issues.html?issue=57&id=7[/url]
Edit 2
Thank you Bruce B, did not understand as you surmized ;)
My system is subject to above attacks, as are most others
Edit 3
- If I was single Bugman, I'd be standing on the ol' Mustang's Loud pedal going West !!!
But alas, 5th wife is still here, the car's out of gas and so am I
jay
-