Comments on: HScan Redux

By: 83 teknik haking baru… « [dot]EXE - Teknik Elektro Unnes

83 teknik haking baru… « [dot]EXE - Teknik Elektro Unnes — Fri, 13 Jun 2008 06:28:15 +0000

[...] HScan Redux [...]

By: mozzio

mozzio — Thu, 29 Mar 2007 17:12:58 +0000

No surprise, any version of the Mozilla browsers with NoScript installed is immune.

http://noscript.net

By: GNUCITIZEN » Noscript HScan

GNUCITIZEN » Noscript HScan — Wed, 28 Feb 2007 23:01:46 +0000

[...] Noscript HScan published: February 28th, 2007 After releasing my Firefox specific history scanner, RSnake came up with his own bleeding edge history scanning technique which is based on Jeremiah Grossman’s implementation but it does not require JavaScript. This approach has its own limitations and advantages. [...]

By: ha.ckers.org web application security lab - Archive » Steal Browser History Without JavaScript

Wed, 28 Feb 2007 17:24:31 +0000

[...] Before that Jeremiah also came up with the original CSS history hack as you may or may not remember. Later on pdp came up with another variant of the same issue using a very different technique (Firefox caching). Both of those techniques were cool, but both of them also required that you have JavaScript turned on. We all know there are still people out there who think turning off JavaScript protects them from everything. [...]

By: MustLive

MustLive — Tue, 27 Feb 2007 19:32:43 +0000

Don’t work in my Mozilla 1.7.7 :P (and in old version of Firefox).

Old version browsers rulez! :-) Want to save your history – use old school browsers.

By: ha.ckers.org web application security lab - Archive » Firefox History Stealing Part 2

Mon, 26 Feb 2007 00:34:57 +0000

[...] pdp has a really interesting demo code that steals Firefox history using the about-cache directive in Firefox. This is a different method than we’ve seen before, and is quite a bit slower in his demo than Jeremiah’s version but it’s equally clever. If you read his post he describes how this is different than the looking at link color, but you get the idea. [...]

By: Jordan

Jordan — Sun, 25 Feb 2007 15:53:33 +0000

Doesn’t work for me, OS X, FF 2.0.0.1 but it’s probably SafeCache or SafeHistory blocking it.

http://safecache.com/
http://safehistory.com/

By: Adriaan

Adriaan — Sat, 24 Feb 2007 10:16:48 +0000

Indeed. Does not work under gentoo linux, 2.0.0.1.

By: dusoft

dusoft — Sat, 24 Feb 2007 01:45:32 +0000

Does not work for Firefox 2.0.0.1 under Linux

By: pdp

pdp — Fri, 23 Feb 2007 22:26:40 +0000

It works on Mac OS 10.4.8 Firefox 2.0.0.1 too.

By: -am

-am — Fri, 23 Feb 2007 20:51:24 +0000

Works on FF 1.5.0.9/WinXP. Good catch :)

By: .mario

.mario — Fri, 23 Feb 2007 15:45:19 +0000

Thanx ;) I did a little quick test and from what i acn say it is hard to impossible. I will give it a deeper look tomorrow. I used it on a jquery featured site trying this:

$.get('about:cache?device=disk', function(response){alert(response);});

By: pdp

pdp — Fri, 23 Feb 2007 15:40:12 +0000

sorry man, fixed it. I am almost certain that you cannot read about:cache with XMLHttpRequest.

By: .mario

.mario — Fri, 23 Feb 2007 15:37:15 +0000

What about XHRing the URL about:cache?device=disk and parsing out all URLs from the response body via regex? Then you’d have a complete history theft – guess i have to test that tomorrow.

BTW, it’s .mario with an o…

By: duk

duk — Fri, 23 Feb 2007 14:46:06 +0000

Firefox 2.0.0.2 is also vulnerable

By: pdp

pdp — Fri, 23 Feb 2007 14:06:51 +0000

.mario about:cache is actually a protocol to access Firefox internal cache information. There are a few other about: directives. about:mozilla is fun.

By: .mario

.mario — Fri, 23 Feb 2007 14:04:11 +0000

This is a very interesting approach of history stealing! I didn’t know about the about:cache-entry directive. I guess i will spend some time the next days to check what other about: directives are available and maybe exploitable…

Great find!