Bugtraq mailing list archives
Re: cache cookies?
From: Lincoln Yeoh <lyeoh () POP JARING MY>
Date: Tue, 19 Dec 2000 17:37:51 +0800
At 01:40 PM 12/18/00 -0800, Wham Bang wrote:
The idea is that you can write arbitrary files into a user's cache. The presence or absence of a file constitutes a single bit of information which can then be retrieved using the timing attacks
You don't have to limit yourself to a single bit. As you said, you can already write arbitrary files into a user's cache. So you can write an entire arbitrary html document into a user's cache (Doh :) ). When the user requests it specifying an "If-modified-since:", just have the webserver/app tell them to use the cached copy. The cached copy of the arbitrary html document could have a frame or img src to a url like this: /cachecookie?session=b35436eac9bb75e58b74eae78fe.43922 Here's a snippet of Securityfocus' webpage. <FRAMESET ROWS="0,*" FRAMEBORDER="NO" BORDER="0"> <FRAME NAME="empty" SRC="/frames/empty.html" MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="NO"> <FRAME NAME="main" SRC="/frames/" MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="NO"> </FRAMESET> Change this to: <FRAMESET ROWS="0,*" FRAMEBORDER="NO" BORDER="0"> <FRAME NAME="empty" SRC="http://watchingoveru.com/cached.shtml" MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="NO"> <FRAME NAME="main" SRC="/frames/" MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="NO"> </FRAMESET> So in this case just make sure that http://watchingoveru.com/cached.shtml is a script which does the following: <pseudocode> If user requests for first time (doesn't specify "If-modified-since:" ) generate a page with a frameset and <frame src="/cachecookie?session=b35436eac9bb75e58b74eae78fe.43922"> (or use img src= or background= if your users don't turn off images - you could detect this). If user requests for http://watchingoveru.com/cached.shtml specifying an "if-modified-since:" just return HTTP/1.0 304 Not Modified </pseudocode> The user will then always request for /cachecookie?session=b35436eac9bb75e58b74eae78fe.43922 Or /cachecookiepic?session=b35436eac9bb75e58b74eae78fe.43922 (if using img src). And cachecookie can be a script which does the tracking. I haven't figured out how to properly deal with proxy caches, so for now either they'll mess things up, or you'll have to use https and hope that the browser caches https stuff (caching proxies don't usually cache https requests, AFAIK they can't cache those CONNECT+SSL requests). Anyway it seems a bit too much of a bother, and rather academic to me. Most users surf with cookies on anyway (and client side scripting enabled too). I find tagging office documents more fun and useful :). You can even see which pages of msword docs are viewed. Cheerio, Link.
Current thread:
- Re: cache cookies?, (continued)
- Re: cache cookies? MadHat (Dec 18)
- Re: cache cookies? Steve Shockley (Dec 16)
- Re: cache cookies? Rossen Raykov (Dec 16)
- Re: cache cookies? Nick Lamb (Dec 18)
- Re: cache cookies? Thomas Reinke (Dec 18)
- Re: cache cookies? Kee Hinckley (Dec 16)
- Re: cache cookies? Szilveszter Adam (Dec 18)
- Re: cache cookies? James Taylor (Dec 19)
- Re: cache cookies? Szilveszter Adam (Dec 18)
- Re: cache cookies? Rob Lemos (Dec 18)
- Re: cache cookies? Wham Bang (Dec 18)
- Re: cache cookies? Lincoln Yeoh (Dec 19)
- Re: cache cookies? Wham Bang (Dec 19)