Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 16 Apr 2014, 09:25
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Abusing HTTP Status Codes to Expose Private Information
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [10 Posts]  
Author Message
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 10653
Location: Arizona USA

PostPosted: Sun 20 Feb 2011, 23:33    Post subject:  Abusing HTTP Status Codes to Expose Private Information  

https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information
Quote:
When you visit my website, I can automatically and silently determine if you're logged into Facebook, Twitter, GMail and Digg.....
Back to top
View user's profile Send private message 
jpeps

Joined: 31 May 2008
Posts: 3219

PostPosted: Mon 21 Feb 2011, 04:24    Post subject:  

If people insist on running browsers with javascript, adobe flash, active x, etc, what do they expect? Even on a TOR proxy, "features" like google toolbars can grab your personal info....and it's for sale.
Back to top
View user's profile Send private message 
efiguy


Joined: 06 Sep 2006
Posts: 169

PostPosted: Mon 21 Feb 2011, 19:02    Post subject: Abusing HTTP Status Codes to Expose Private Information
Subject description: another forum link on browser security probs
 

Good Job Flash,

We should connect this "browser spilling" to :

http://murga-linux.com/puppy/viewtopic.php?t=62391

Example:
- A curious site webmaster will visit a number of sites that he would like to know whether his own "visitors" are also viewing, like the city banks, restaurants, grocery, auto dealers, etc. They save the home page and comb them for obscure, yet unique from all the other "curious about" desired links small pics. These are then obliquely loaded into his own website, and they wait.

- Someone visits the "curious" site, now the "misc pic files" load from his site or the browser cache, revealing where the browser "goes to" or doesn't.

- just one way

Have G'day group
Back to top
View user's profile Send private message 
Bruce B


Joined: 18 May 2005
Posts: 11049
Location: The Peoples Republic of California

PostPosted: Sat 12 Mar 2011, 08:56    Post subject:  

Even though I'm running Javascript, he doesn't know. Not on my
computer.

1) he can't know where I came from

2) he can't know my OS or browser, worse, his site is informed I'm
running XP with IE 6

3) he can't know if I'm logged into Facebook, Twitter or Google

All this is default, preemptive for all sites, not just this one.

RequestPolicy addon prevents #3

Preferences Toolbar is set to refuse to send referrer and spoof the
OS and browser. Thus messing up #1 and #2

Yes, I strongly recommend the RequestPolicy and Preferences
Toolbar AND they are easy to use and intuitive.

See pic below showing the sites which were blocked by default.

~
doesnt-know.png
 Description   
 Filesize   17.08 KB
 Viewed   835 Time(s)

doesnt-know.png


_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
bugman


Joined: 20 Dec 2005
Posts: 2131
Location: buffalo commons

PostPosted: Sat 12 Mar 2011, 10:19    Post subject:  

this sort of creepy stuff is part of the reason i've switched from javascript to php in my website coding

don't know if php can do this stuff at all, but since it can't be turned off, visitors to my benign sites don't get security warnings or missing features

thanks for posting

_________________
. . . the machines are clean
and the machines are not corrupted


- lee "scratch" perry
Back to top
View user's profile Send private message Visit poster's website 
efiguy


Joined: 06 Sep 2006
Posts: 169

PostPosted: Sat 12 Mar 2011, 12:05    Post subject: Abusing HTTP Status Codes to Expose Private Information
Subject description: The stack
 

Hi,

Bruce B, you have taken the critical steps of what an individual can do, 98% of the web requires Jscript to operate, crafted that way, We can admire "Bugman" for his avoiding the js.

- But any given pc or system Kernal can be discovered by the TCP/IP stack, and the assigned ISP IP geographically locates one right to a neighborhood.

Stack Fingerprinting ( EDIT 1- My apology - Old bookmarks not explored )
More info: * links are good 03-12-2011
- OLD (bad) http://www.sys-security.com/html/projects/X.html
*Replacement- http://capec.mitre.org/data/definitions/316.html

*New page- http://sourceforge.net/scm/?type=git&group_id=30984
*old Link page- http://xprobe.sourceforge.net Link page
*New Link page- http://sourceforge.net/apps/mediawiki/xprobe/index.php?title=Main_Page
*new-link-old_page- http://xprobe.sourceforge.net/oldindex.html
*old PDF- http://xprobe.sourceforge.net/xprobe-ng.pdf
*old PDF- http://xprobe.sourceforge.net/xprobe_dsn_slides.pdf

OLD (bad) http://www.notlsd.net/xprobe/
*Replacement- http://www.phrack.com/issues.html?issue=57&id=7


- Once we click the browser, we don phosphorescent clothing covered in text.

Jay

Edit 2
Thank you Bruce B, did not understand as you surmized ;)
My system is subject to above attacks, as are most others

Edit 3
- If I was single Bugman, I'd be standing on the ol' Mustang's Loud pedal going West !!!
Well alas, 5th wife still here, the cars out of gas and so am I
-

Last edited by efiguy on Sun 13 Mar 2011, 00:14; edited 1 time in total
Back to top
View user's profile Send private message 
nooby

Joined: 29 Jun 2008
Posts: 10508
Location: SwedenEurope

PostPosted: Sat 12 Mar 2011, 12:32    Post subject:  

Jay have you tested the first one lately?

http://en.wordpress.com/typo/?subdomain=sys-security
Quote:
sys-security.wordpress.com doesn’t exist


did you by any chance save the text on that page because it seems gone unless that person have it mirrrored somewhere?

wher eam I suppose to read on the second one they say they refer to the wiki but there they still refer back to the one referring to the wiki
http://sourceforge.net/apps/mediawiki/xprobe/index.php?title=Main_Page

similar with the third one

it is says
notlsd.net (NOTLSD.NET) is for sale

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send private message 
bugman


Joined: 20 Dec 2005
Posts: 2131
Location: buffalo commons

PostPosted: Sat 12 Mar 2011, 13:02    Post subject: Re: Abusing HTTP Status Codes to Expose Private Information
Subject description: The stack
 

efiguy wrote:
But any given pc or system Kernal can be discovered by the TCP/IP stack, and the assigned ISP IP geographically locates one right to a neighborhood.


i guess this why lovely young ladies from denver occasionally want to meet me

i live about 600-700 miles from denver though . . .

_________________
. . . the machines are clean
and the machines are not corrupted


- lee "scratch" perry
Back to top
View user's profile Send private message Visit poster's website 
Bruce B


Joined: 18 May 2005
Posts: 11049
Location: The Peoples Republic of California

PostPosted: Sat 12 Mar 2011, 15:27    Post subject: Re: Abusing HTTP Status Codes to Expose Private Information
Subject description: The stack
 

efiguy wrote:


Bruce B, you have taken the critical steps of what an individual can do,
98% of the web requires Jscript to operate, crafted that way, We can
admire "Bugman" for his avoiding the js.


With prefbar the script can be turned on and off with a single mouse click.

With RequestPolicy, the only site contacted with is the site you visit. Unless
you explicitly allow specific remote sites. This permission can be
temporary or permanent.

So, on the page in question, the JavaScript ran, but the remote sites were unavailable.

I wanted to make it clear, in case it wasn't.

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send private message 
efiguy


Joined: 06 Sep 2006
Posts: 169

PostPosted: Sun 13 Mar 2011, 00:46    Post subject: Abusing HTTP Status Codes to Expose Private Information
Subject description: link updates
 

Edited - didn't trigger mail updates My apologies all <:)

Stack Fingerprinting ( EDIT 1- My apology - Old bookmarks not explored )
More info: * links are good 03-12-2011
- OLD (bad) http://www.sys-security.com/html/projects/X.html
*Replacement- [url]http://capec.mitre.org/data/definitions/316.html[/url]

*New page- [url]http://sourceforge.net/scm/?type=git&group_id=30984[/url]
*old Link page- http://xprobe.sourceforge.net Link page
*New Link page- [url]http://sourceforge.net/apps/mediawiki/xprobe/index.php?title=Main_Page[/url]
*new-link-old_page- [url]http://xprobe.sourceforge.net/oldindex.html[/url]
*old PDF- http://xprobe.sourceforge.net/xprobe-ng.pdf
*old PDF- http://xprobe.sourceforge.net/xprobe_dsn_slides.pdf

OLD (bad) http://www.notlsd.net/xprobe/
*Replacement- [url]http://www.phrack.com/issues.html?issue=57&id=7[/url]


Edit 2
Thank you Bruce B, did not understand as you surmized ;)
My system is subject to above attacks, as are most others

Edit 3
- If I was single Bugman, I'd be standing on the ol' Mustang's Loud pedal going West !!!
But alas, 5th wife is still here, the car's out of gas and so am I

jay
-
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [10 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0609s ][ Queries: 12 (0.0043s) ][ GZIP on ]