| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 4 Dec 2011 09:31:20 +1100 From: xD 0x41 <secn3t@...il.com> To: Veeraganesh Reddy Thondapu <veeraganeshreddy@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: fast and somewhat reliable cache timing New book.. Oh my bad, I meant his NEW book wich offers chapter.3 for free reading... I would love to see the Cascading Stlye Sheets chapter, so i guess ill be buying it. NoStarch have been long regarded as ebook publishers who seem to have security in mind, so it would be a worthy buy.. Cheers. On 4 December 2011 09:25, Veeraganesh Reddy Thondapu <veeraganeshreddy@...il.com> wrote: > Sorry for my ignorance but the book you were mentioning is that his Old book > or the new one titled > > The Tangled Web: A Guide to Securing Modern Web Applications > > regards > > > > On Saturday, 3 December 2011, xD 0x41 <secn3t@...il.com> wrote: >> Yea, is interesting, i tested it on Firefox v8 windowsXP platform and >> it did not find anything, mind you i use 'private browsing' for *all* >> browsing... so i am wondering if that maybe helps keeping my cache >> secure... i also noticed that it returned no results, when in fact i >> had just been redirected from gmail to there, wich would mean >> google.com would have shown... so, private-browsing must be a safer >> way to browse.. very awesome PoC, i do recall also some botnet source >> codes in .cpp codes of bots wich can dump caches of upto i think FF4 >> or so now..when the dlls were used to store things possibly... i have >> not kept up with it, but that was in alot of bots, just called >> pstore.cpp and similarly the cmd could be done with .pstore >> website.com ,and that would do a cache search, for abut 5-6 browsers >> in one.. it managed to work with IE and FF anyhow, i tested srcs of >> 120- and nzmbot and they were able to extract infos they shouldnt >> have... >> Your eBook is definately on my to read list, and i am already l;ooking >> at the chapter.3 you give away free on your blog, actually, i know >> *anything* you write about, is going to be good :) >> cheers mate. >> d >> >> >> On 3 December 2011 22:50, Michele Orru <antisnatchor@...il.com> wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Great PoC Michal, >>> >>> I tested the "orig" PoC on Chrome 15, Opera 11.52 and FF 8.1 on Mac OSX >>> 10.6.8 and is reliable. >>> >>> I'm certainly adding it to the BeEF project. >>> >>> Cheers >>> antisnatchor >>> >>> Michal Zalewski wrote: >>>> Evening, >>>> >>>> This party trick is not particularly exciting, but hopefully >>>> highlights a vaguely interesting point: >>>> >>>> http://lcamtuf.coredump.cx/cachetime/ >>>> >>>> In essence, in the past few years, browser vendors have severely >>>> crippled CSS :visited selectors in order to prevent CSS-based history >>>> snooping that made the headlines not long ago (see, for example, >>>> http://wtikay.com). Although it's fairly obvious that other privacy >>>> side channels, such as cache timing, theoretically disclose comparable >>>> data, the attacks demonstrated so far offered, at best, vaguely >>>> probabilistic results (say, >>>> http://www.cs.princeton.edu/sip/pub/webtiming.pdf). On top of that, >>>> cache probing was considered destructive, which significantly limited >>>> its usability. >>>> >>>> Consequently, an argument was made that CSS :visited offered unique >>>> performance and reliability benefits and needed to be addressed >>>> separately, while no serious work takes place on the remaining >>>> vectors. >>>> >>>> My PoC exploits cache timing in Firefox in what appears to be a fairly >>>> fast and reliable way. It is a crude hack, so it will probably fail >>>> for some of you - but it's probably still interesting. The key point >>>> is that to probe for cached content without immediately polluting the >>>> cache, we abort navigation before the HTTP request is made. We also >>>> work around setTimeout / setInterval clamps by leveraging event >>>> delivery. >>>> >>>> PS. If this is even remotely interesting, you may also enjoy >>>> http://lcamtuf.coredump.cx/tangled/ >>>> >>>> Cheers, >>>> /mz >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.9 (Darwin) >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>> >>> iQEcBAEBAgAGBQJO2gzyAAoJEBgl8Z+oSxe4Gs8H/jgNmbiKwxSsisCuyN51bIbW >>> C/8seFbSOtmUu15UghUvunHNTDcINC6DE9MCpW8NisgHKlc6GAgdrU+2kLBy94bR >>> 7RVhvbO0ok9MoII4iJqbl392tscWzJ07HCfZEOOwgy4JoI8/lla6LNPhUBepcayX >>> 50gZclVxRreBbbb+W9Oboz50u8rcfJCu/zopLPbrhNDdL7G+ORD9pO0FRc3+jsgm >>> 11/Bbs9bwRTJGIOsm+TILvb2lpDHS6Ax6jbjj+9udqBW3oQfBtveb8aAFtDg7+vk >>> Vz8aODJ78V6bcqCLn+I1WcedD0/cEHvkKi2E+UcBLdF2OQp5+mUIMiN8pnluvBE= >>> =nUp+ >>> -----END PGP SIGNATURE----- >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists