W3C home > Mailing lists > Public > public-web-security@w3.org > December 2009

Other CSS attacks (Navigation monitor / History crawler / LAN scanner + attack )

From: Eduardo Vela <sirdarckcat@gmail.com>
Date: Wed, 9 Dec 2009 17:45:50 +0800
Message-ID: <8ba534860912090145q2e365b95je079513d3c1950d@mail.gmail.com>
To: public-web-security@w3.org
Hi!

Well.. apparently the CSS attribute reader attack received attention on this
list, so I want to point out some other attacks that were disclosed last
year regarding CSS attacks.

We presented on Microsoft Bluehat this ppt (CSS The Sexy Assassin):
http://tinyurl.com/cssattacks

Anyway, I think we can't do much about it.. but since the presentation was
closed (eg. only people with an invitation from microsoft could attend), the
details aren't very well explained out there.. so this may help as a pointer
if anyone is interested on any other attacks possible by only using CSS.

Mostly, the cooler attacks are:

Navigation monitor:
meaning that I can know what page you are visiting and the exact second you
clicked a new link.

History crawler:
like the known :visited hack, but with the power of crawling the pages you
visited in order to get a complete history.

LAN scanner + CSRF attack:
 the same, using the visited selector, you can detect which IP address are
alive and with an HTTP server running and launch CSRF attacks against them.

Check the PPT for cool graphs :)

Links with moar info:

http://www.thespanner.co.uk/2008/10/20/bluehat/
http://sirdarckcat.blogspot.com/2008/10/about-css-attacks.html
http://p42.us/css/
http://eaea.sirdarckcat.net/cssar/v2/
http://sla.ckers.org/forum/read.php?13,25016
http://sla.ckers.org/forum/read.php?4,29358
http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/


Greetings!!
-- Eduardo
http://www.sirdarckcat.net/

Sent from Hangzhou, 33, China
Received on Wednesday, 9 December 2009 09:46:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 19 December 2010 00:16:01 GMT