最近在看有关Broswer history sniffing相关方面的内容,花了很久的时间去寻找实例网站,好容易找到了一个真实的嗅探用户浏览历史的网站却迟迟高兴不起来。原因是我感觉这项所谓“攻击技术”根本就不像一个攻击嘛……
尤其是刚刚看了一位国外的同仁对这项技术的评价和我的感觉完全相同,不禁沮丧不已。。。做攻击的是要计算代价的,用这个技术去搞CSRF代价太大,实在的黑客根本没工夫用这个东东去守株待兔。
但是。。但是。。毕设还是要做的啊,如果不研究这个再换题目的话,我就可以不用毕业了嗷!!!真是纠结……
原话是这样的,精辟啊!犀利啊!!!
Browser history sniffing isn't anything new: Mozilla has documented this "flaw" since 2000. The reason that this isn't that serious is that they can't retrieve an arbitrary history: just if you have visited a specific URL (not even a particular domain or site!) that it asks for. So unless the attacker explicitly asks if you've been to http://example.org/47, it will never know that you've been to http://example.org/47. It can't find that out by probing http://example.org/, http://example.org/47?x, or even http://example.org/47/. It must probe http://example.org/47, verbatim. Brute-forcing every possible URL? Yea, good luck with that. Brute-forcing every possible URL over a network connection? I think this just won the Most Impractical Exploit Award.
Practically, the extent of this flaw is to make for a nice sensationalist parlor trick for use by some grandstanding website that claims to have "discovered" a hole that people had known about for a decade, capable of determining if you've ever been to a common site, like google.com. Utterly useless for any sort of meaningful attack. Not to mention, it's slow and burdensome on the attacker's server.
As for disabling META refreshes, that's silly. It's not going to save you from this "exploit"--it's used by this particular demo, and that's it. I can use this exploit to sniff your browser history regardless of whether you have disabled META refreshes. And disabling META refreshes in general is usually a pretty big hit on usability (for a selective block of META refreshes, you can use NoRedirect, but with respect to this sniffing exploit, it's completely irrelevant).
尤其是刚刚看了一位国外的同仁对这项技术的评价和我的感觉完全相同,不禁沮丧不已。。。做攻击的是要计算代价的,用这个技术去搞CSRF代价太大,实在的黑客根本没工夫用这个东东去守株待兔。
但是。。但是。。毕设还是要做的啊,如果不研究这个再换题目的话,我就可以不用毕业了嗷!!!真是纠结……
原话是这样的,精辟啊!犀利啊!!!
Browser history sniffing isn't anything new: Mozilla has documented this "flaw" since 2000. The reason that this isn't that serious is that they can't retrieve an arbitrary history: just if you have visited a specific URL (not even a particular domain or site!) that it asks for. So unless the attacker explicitly asks if you've been to http://example.org/47, it will never know that you've been to http://example.org/47. It can't find that out by probing http://example.org/, http://example.org/47?x, or even http://example.org/47/. It must probe http://example.org/47, verbatim. Brute-forcing every possible URL? Yea, good luck with that. Brute-forcing every possible URL over a network connection? I think this just won the Most Impractical Exploit Award.
Practically, the extent of this flaw is to make for a nice sensationalist parlor trick for use by some grandstanding website that claims to have "discovered" a hole that people had known about for a decade, capable of determining if you've ever been to a common site, like google.com. Utterly useless for any sort of meaningful attack. Not to mention, it's slow and burdensome on the attacker's server.
As for disabling META refreshes, that's silly. It's not going to save you from this "exploit"--it's used by this particular demo, and that's it. I can use this exploit to sniff your browser history regardless of whether you have disabled META refreshes. And disabling META refreshes in general is usually a pretty big hit on usability (for a selective block of META refreshes, you can use NoRedirect, but with respect to this sniffing exploit, it's completely irrelevant).
