Bugtraq mailing list archives

Re: cache cookies?

From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Tue, 19 Dec 2000 17:37:51 +0800

At 01:40 PM 12/18/00 -0800, Wham Bang wrote:

The idea is that you can write arbitrary files into a user's cache.
The presence or absence of a file constitutes a single bit of
information which can then be retrieved using the timing attacks


You don't have to limit yourself to a single bit.

As you said, you can already write arbitrary files into a user's cache.

So you can write an entire arbitrary html document into a user's cache (Doh
:) ).

When the user requests it specifying an "If-modified-since:", just have the
webserver/app tell them to use the cached copy.

The cached copy of the arbitrary html document could have a frame or img
src to a url like this:
/cachecookie?session=b35436eac9bb75e58b74eae78fe.43922

Here's a snippet of Securityfocus' webpage.

<FRAMESET ROWS="0,*" FRAMEBORDER="NO" BORDER="0">
  <FRAME NAME="empty" SRC="/frames/empty.html"  MARGINWIDTH="0"
MARGINHEIGHT="0" SCROLLING="NO">
  <FRAME NAME="main"  SRC="/frames/" MARGINWIDTH="0" MARGINHEIGHT="0"
SCROLLING="NO">
</FRAMESET>

Change this to:

<FRAMESET ROWS="0,*" FRAMEBORDER="NO" BORDER="0">
  <FRAME NAME="empty" SRC="http://watchingoveru.com/cached.shtml";
MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="NO">
  <FRAME NAME="main"  SRC="/frames/" MARGINWIDTH="0" MARGINHEIGHT="0"
SCROLLING="NO">
</FRAMESET>


So in this case just make sure that http://watchingoveru.com/cached.shtml
is a script which does the following:
<pseudocode>
If user requests for first time (doesn't specify "If-modified-since:" )
 generate a page with a frameset and
<frame src="/cachecookie?session=b35436eac9bb75e58b74eae78fe.43922">
(or use img src= or background= if your users don't turn off images - you
could detect this).

If user requests for http://watchingoveru.com/cached.shtml specifying an
"if-modified-since:" just return
HTTP/1.0 304 Not Modified
</pseudocode>

The user will then always request for
/cachecookie?session=b35436eac9bb75e58b74eae78fe.43922
Or
/cachecookiepic?session=b35436eac9bb75e58b74eae78fe.43922
(if using img src).

And cachecookie can be a script which does the tracking.

I haven't figured out how to properly deal with proxy caches, so for now
either they'll mess things up, or you'll have to use https and hope that
the browser caches https stuff (caching proxies don't usually cache https
requests, AFAIK they can't cache those CONNECT+SSL requests).

Anyway it seems a bit too much of a bother, and rather academic to me. Most
users surf with cookies on anyway (and client side scripting enabled too).

I find tagging office documents more fun and useful :). You can even see
which pages of msword docs are viewed.

Cheerio,
Link.

Current thread:

Re: cache cookies?, (continued)
- - - Re: cache cookies? MadHat (Dec 18)
  - Re: cache cookies? Steve Shockley (Dec 16)
  - Re: cache cookies? Rossen Raykov (Dec 16)
  - Re: cache cookies? Nick Lamb (Dec 18)
    - Re: cache cookies? Thomas Reinke (Dec 18)
- Re: cache cookies? Kee Hinckley (Dec 16)
  - Re: cache cookies? Szilveszter Adam (Dec 18)
    - Re: cache cookies? James Taylor (Dec 19)
- Re: cache cookies? Rob Lemos (Dec 18)
- Re: cache cookies? Wham Bang (Dec 18)
  - Re: cache cookies? Lincoln Yeoh (Dec 19)
- Re: cache cookies? Wham Bang (Dec 19)