[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALCvwp6VFe138FE2bz3SBA9kPCyD4z1fPw0=cgiomrfrn7STbw@mail.gmail.com>
Date: Sun, 4 Dec 2011 09:31:20 +1100
From: xD 0x41 <secn3t@...il.com>
To: Veeraganesh Reddy Thondapu <veeraganeshreddy@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: fast and somewhat reliable cache timing
New book..
Oh my bad, I meant his NEW book wich offers chapter.3 for free
reading... I would love to see the Cascading Stlye Sheets chapter, so
i guess ill be buying it. NoStarch have been long regarded as ebook
publishers who seem to have security in mind, so it would be a worthy
buy..
Cheers.
On 4 December 2011 09:25, Veeraganesh Reddy Thondapu
<veeraganeshreddy@...il.com> wrote:
> Sorry for my ignorance but the book you were mentioning is that his Old book
> or the new one titled
>
> The Tangled Web: A Guide to Securing Modern Web Applications
>
> regards
>
>
>
> On Saturday, 3 December 2011, xD 0x41 <secn3t@...il.com> wrote:
>> Yea, is interesting, i tested it on Firefox v8 windowsXP platform and
>> it did not find anything, mind you i use 'private browsing' for *all*
>> browsing... so i am wondering if that maybe helps keeping my cache
>> secure... i also noticed that it returned no results, when in fact i
>> had just been redirected from gmail to there, wich would mean
>> google.com would have shown... so, private-browsing must be a safer
>> way to browse.. very awesome PoC, i do recall also some botnet source
>> codes in .cpp codes of bots wich can dump caches of upto i think FF4
>> or so now..when the dlls were used to store things possibly... i have
>> not kept up with it, but that was in alot of bots, just called
>> pstore.cpp and similarly the cmd could be done with .pstore
>> website.com ,and that would do a cache search, for abut 5-6 browsers
>> in one.. it managed to work with IE and FF anyhow, i tested srcs of
>> 120- and nzmbot and they were able to extract infos they shouldnt
>> have...
>> Your eBook is definately on my to read list, and i am already l;ooking
>> at the chapter.3 you give away free on your blog, actually, i know
>> *anything* you write about, is going to be good :)
>> cheers mate.
>> d
>>
>>
>> On 3 December 2011 22:50, Michele Orru <antisnatchor@...il.com> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Great PoC Michal,
>>>
>>> I tested the "orig" PoC on Chrome 15, Opera 11.52 and FF 8.1 on Mac OSX
>>> 10.6.8 and is reliable.
>>>
>>> I'm certainly adding it to the BeEF project.
>>>
>>> Cheers
>>> antisnatchor
>>>
>>> Michal Zalewski wrote:
>>>> Evening,
>>>>
>>>> This party trick is not particularly exciting, but hopefully
>>>> highlights a vaguely interesting point:
>>>>
>>>> http://lcamtuf.coredump.cx/cachetime/
>>>>
>>>> In essence, in the past few years, browser vendors have severely
>>>> crippled CSS :visited selectors in order to prevent CSS-based history
>>>> snooping that made the headlines not long ago (see, for example,
>>>> http://wtikay.com). Although it's fairly obvious that other privacy
>>>> side channels, such as cache timing, theoretically disclose comparable
>>>> data, the attacks demonstrated so far offered, at best, vaguely
>>>> probabilistic results (say,
>>>> http://www.cs.princeton.edu/sip/pub/webtiming.pdf). On top of that,
>>>> cache probing was considered destructive, which significantly limited
>>>> its usability.
>>>>
>>>> Consequently, an argument was made that CSS :visited offered unique
>>>> performance and reliability benefits and needed to be addressed
>>>> separately, while no serious work takes place on the remaining
>>>> vectors.
>>>>
>>>> My PoC exploits cache timing in Firefox in what appears to be a fairly
>>>> fast and reliable way. It is a crude hack, so it will probably fail
>>>> for some of you - but it's probably still interesting. The key point
>>>> is that to probe for cached content without immediately polluting the
>>>> cache, we abort navigation before the HTTP request is made. We also
>>>> work around setTimeout / setInterval clamps by leveraging event
>>>> delivery.
>>>>
>>>> PS. If this is even remotely interesting, you may also enjoy
>>>> http://lcamtuf.coredump.cx/tangled/
>>>>
>>>> Cheers,
>>>> /mz
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.9 (Darwin)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>
>>> iQEcBAEBAgAGBQJO2gzyAAoJEBgl8Z+oSxe4Gs8H/jgNmbiKwxSsisCuyN51bIbW
>>> C/8seFbSOtmUu15UghUvunHNTDcINC6DE9MCpW8NisgHKlc6GAgdrU+2kLBy94bR
>>> 7RVhvbO0ok9MoII4iJqbl392tscWzJ07HCfZEOOwgy4JoI8/lla6LNPhUBepcayX
>>> 50gZclVxRreBbbb+W9Oboz50u8rcfJCu/zopLPbrhNDdL7G+ORD9pO0FRc3+jsgm
>>> 11/Bbs9bwRTJGIOsm+TILvb2lpDHS6Ax6jbjj+9udqBW3oQfBtveb8aAFtDg7+vk
>>> Vz8aODJ78V6bcqCLn+I1WcedD0/cEHvkKi2E+UcBLdF2OQp5+mUIMiN8pnluvBE=
>>> =nUp+
>>> -----END PGP SIGNATURE-----
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists