Pictures from external resources - good or evil?
Most multi-visited sites allow you to host images from external resources. This is a very convenient and useful feature not only for ordinary users, but also for people collecting information about you.
Do you want to know more information about the most effective methods? Are you interested in how to determine the screen resolution, local time and change a couple of passwords using a small picture? Welcome under the cut!
Active methods are detectable, but they can give us the desired result.
')
We need to get all the information that allows us to separate each user from the main mass, and then begin to follow them. At the lowest level, this is the IP protocol , then TCP , possibly SSL / TLS , and then HTTP .
Traditionally, this area uses traffic analysis.
These are two requests, from the same page, to the same image, but from different browsers. As you can see, it is not only the contents of the headers that differ, but also their order. Different versions of browsers will also have differences, so we can assume that the User-Agent is localized and deliberately changed.
In the case of a large file, reading the timestamps can determine the speed of information transfer. By speed and IP-address you can find out the provider and the tariff that will help apply social engineering to the person.
Now we are moving to the most interesting, why don't we squeeze all the maximum possible from this technique?
You must have heard about this data transfer technology between the server and the client, it was already supported by IE version 2. Recently, Mozilla Firefox 22 came up, in which the installation of cookies from third-party domains was blocked by default, but everyone who uses other browsers will get a big surprise. Usage vectors:
With the first paragraph, everything is clear - we set a cookie with a long validity period, we write a unique identifier into it, and then we read everything.
The second item is just as simple as the first one β if we do not set the expiration date, the cookie will be valid until the first browser is closed, so a request will come only with the first cookie.
Data from Wikipedia says that each browser sets a limit on the amount of data, moreover, it sometimes changes from version to version, thereby publishing another image from another domain can increase the likelihood of a correct definition.
The implementation of the fourth paragraph requires some effort:
The server sets a cookie using Set-Cookie , sets the necessary parameters and sends everything to the browser. The browser saves the parameters and only the data comes back - elegantly and simply.
The most interesting thing here is in the date field, it is set in the format Wdy, DD Mon YYYY HH: MM: SS GMT , that is, one regardless of location, but if the system time is not synchronized or a different time zone appears, there will be differences.
Note: all this will work only when the server has not transmitted the Date header with its time - the browser needs to somehow get out.
Let's set the control and 12 more different versions of cookies with a difference of 2 hours and see the next user response by redirecting through the Location . Then narrowing or extending (If the time is changed by more than a day), if necessary, the range is reached to the second marks, after which you can determine the relationship between server and client time and identify the person next time.
The browser's cache allows you to do exactly the same thing when cookies are disabled:
Subsequent request to the server will look like this:
Now the server has the right to give the status of 304 Not Modified without transferring the picture itself - the browser will take it from the cache.
Details about the title painted here .
The HTTP Link Header is equivalent to the <link> tag. You can specify a link to the rss-tape, style sheet, etc. directly in the headers - this is a chance, because HTML can not be included in the picture ( Except for old versions of Internet Explorer ).
Using modern features of CSS 3 - media queries - you can load data through conditions, for example, by screen resolution:
This method will not always work - images are loaded only if there are corresponding tags, there is no support for WebKit , the syntax is limited in conditions. But with some configurations it works!
See habrahabr.ru/post/151538 and habrahabr.ru/post/180877
In addition, the infinite gif can be used to track the user's time on the page β the socket will be closed when the tab is closed or hang after changing the network settings, switching proxy servers, VPN servers ...
This title (unlike Link ) is not set by standards, however, it is supported almost everywhere.
It allows redirection after a certain period of time - if the user loads the page, and then, without closing the tabs, he will disable the VPN and proxy - his IP will be in our pocket.
The method is very old, I do not argue, it also works on the headers and is still relevant. And if you give out the form only to the right people to find an ambush where no one will look for it, it becomes an impossible task.
Materials: habrahabr.ru/post/140054
If the URL is rigidly filtered does not mean that it is impossible to conduct such an attack. Through the same Location header, you can send a malicious link to change passwords, send messages or something else:
It is possible to use only the GET method, such vulnerabilities are widespread today. Often there are safe, but unpleasant CSRF on razloginivanie, you can disable the site for a while.
Internal networks are widely used in OpenVPN technology, there were thoughts to determine their presence by measuring the TTL that comes to the server and the minimum possible value when delivering a packet.
The method was quickly refuted - the path to the resource and from the resource may not coincide ( material ) and the method will give more failures than correct answers.
However, the application is still there, the default TTL in Linux is 64, in Windows it is 128. These large differences will help determine the OS of the remote host in some cases.
The method is very simple, however, it is suitable only for Win systems where products like Kaspersky Internet Security are widely used. Placing the virus code in the picture to track its blocking is not difficult - the resource can be blocked for a long time, the picture will never fall into the cache.
This may be necessary, but here you have to be as careful as possible - when such activity is detected, nothing good shines.
If you have a website, think, and you need so many problems because of one feature?
UPD1:
baadf00d in the comments reminded about DNS leaks (they allow you to determine which DNS server to use, sometimes itβs a provider).
Google's public servers:
Do you want to know more information about the most effective methods? Are you interested in how to determine the screen resolution, local time and change a couple of passwords using a small picture? Welcome under the cut!
Content:
- Pictures from external resources - good or evil?
What we will use
- Passive methods - transparent for the user recording of incoming information
- Active methods - returning unique content to each request.
Active methods are detectable, but they can give us the desired result.
')
Passive methods
We need to get all the information that allows us to separate each user from the main mass, and then begin to follow them. At the lowest level, this is the IP protocol , then TCP , possibly SSL / TLS , and then HTTP .
Traditionally, this area uses traffic analysis.
| Mozilla Firefox (EN) | Google Chrome (RU) |
| |
In the case of a large file, reading the timestamps can determine the speed of information transfer. By speed and IP-address you can find out the provider and the tariff that will help apply social engineering to the person.
Bots
Most bots that emulate the browsing of a site and are not based on browser engines do not result in a lower case host header β this tag will help to quickly detect villains without the help of the administration: <img src="http://HABRAhabr.ru/image.png" alt=" "> Active methods
Now we are moving to the most interesting, why don't we squeeze all the maximum possible from this technique?
Cookie
You must have heard about this data transfer technology between the server and the client, it was already supported by IE version 2. Recently, Mozilla Firefox 22 came up, in which the installation of cookies from third-party domains was blocked by default, but everyone who uses other browsers will get a big surprise. Usage vectors:
- Comparison of client outputs from different IP
- Tracking different browser sessions
- Browser definition based on data limits
- Determination of local time accurate to second
With the first paragraph, everything is clear - we set a cookie with a long validity period, we write a unique identifier into it, and then we read everything.
The second item is just as simple as the first one β if we do not set the expiration date, the cookie will be valid until the first browser is closed, so a request will come only with the first cookie.
Data from Wikipedia says that each browser sets a limit on the amount of data, moreover, it sometimes changes from version to version, thereby publishing another image from another domain can increase the likelihood of a correct definition.
The implementation of the fourth paragraph requires some effort:
Set-Cookie: name=VALUE[; expires=DATE][; path=PATH][; domain=DOMAIN_NAME][; secure][; HttpOnly]; Cookie: name=VALUE; The server sets a cookie using Set-Cookie , sets the necessary parameters and sends everything to the browser. The browser saves the parameters and only the data comes back - elegantly and simply.
The most interesting thing here is in the date field, it is set in the format Wdy, DD Mon YYYY HH: MM: SS GMT , that is, one regardless of location, but if the system time is not synchronized or a different time zone appears, there will be differences.
Note: all this will work only when the server has not transmitted the Date header with its time - the browser needs to somehow get out.
Let's set the control and 12 more different versions of cookies with a difference of 2 hours and see the next user response by redirecting through the Location . Then narrowing or extending (If the time is changed by more than a day), if necessary, the range is reached to the second marks, after which you can determine the relationship between server and client time and identify the person next time.
Cache
The browser's cache allows you to do exactly the same thing when cookies are disabled:
Etag
When the image is returned, an Etag header with a unique hash string is given: Etag: 1aa69b6c6273a8 Subsequent request to the server will look like this:
If-None-Match: 1aa69b6c6273a8 Now the server has the right to give the status of 304 Not Modified without transferring the picture itself - the browser will take it from the cache.
Last-Modified
An older analog of Etag can also be used for tracking. Indicates the date the document was last modified. Server => Last-Modified: Fri, 02 Jan 1970 10:17:36 GMT Client => If-Modified-Since: Fri, 02 Jan 1970 10:17:36 GMT Server => HTTP/1.1 304 Not Modified Expires
Indicates the date of the possible expiration of the document. Longer analogue of determining time. Expires: Fri, 02 Jan 1970 10:17:36 GMT Cache-Control: must-revalidate Details about the title painted here .
Title Link
The HTTP Link Header is equivalent to the <link> tag. You can specify a link to the rss-tape, style sheet, etc. directly in the headers - this is a chance, because HTML can not be included in the picture ( Except for old versions of Internet Explorer ).
Link: <./style.css>; rel=stylesheet Using modern features of CSS 3 - media queries - you can load data through conditions, for example, by screen resolution:
@media all and (device-width: 1024px) { html { background: url("./w1024.jpg"); } } @media all and (device-height: 768px) { body { background: url("./h768.jpg"); } } This method will not always work - images are loaded only if there are corresponding tags, there is no support for WebKit , the syntax is limited in conditions. But with some configurations it works!
Infinite gif
The idea is that in the format of an animated GIF, the number of frames is not indicated, so after displaying the picture, the browser waits for new frames from the server until it receives signal bits about the end of the file. In other words, the server can push messages to the browser over an open channel in the GIF.
(c) alizar
See habrahabr.ru/post/151538 and habrahabr.ru/post/180877
In addition, the infinite gif can be used to track the user's time on the page β the socket will be closed when the tab is closed or hang after changing the network settings, switching proxy servers, VPN servers ...
Refresh header
This title (unlike Link ) is not set by standards, however, it is supported almost everywhere.
Refresh: 15; url=http://habrahabr.ru/images/bg-multilogo.png It allows redirection after a certain period of time - if the user loads the page, and then, without closing the tabs, he will disable the VPN and proxy - his IP will be in our pocket.
Basic-authentication
The method is very old, I do not argue, it also works on the headers and is still relevant. And if you give out the form only to the right people to find an ambush where no one will look for it, it becomes an impossible task.
Materials: habrahabr.ru/post/140054
CSRF attacks
CSRF is a type of attack on website visitors that uses the disadvantages of the HTTP protocol. If the victim enters the site created by the attacker, a request is secretly sent to another server (for example, to the server of the payment system), performing some kind of malicious operation (for example, transferring money to the attacker's account). In order to carry out this attack, the victim must be authorized on the server to which the request is sent, and this request must not require any confirmation from the user, which cannot be ignored or forged by the attacking script.
https://ru.wikipedia.org/wiki/Feintime_retail_query falsification
If the URL is rigidly filtered does not mean that it is impossible to conduct such an attack. Through the same Location header, you can send a malicious link to change passwords, send messages or something else:
Location: http://www.ru/panel/password?newpass=qwerty&newpass2=qwerty&submit=ok It is possible to use only the GET method, such vulnerabilities are widespread today. Often there are safe, but unpleasant CSRF on razloginivanie, you can disable the site for a while.
Low-level, erroneous and other methods
Gray IP (Internal Network) Detection
Internal networks are widely used in OpenVPN technology, there were thoughts to determine their presence by measuring the TTL that comes to the server and the minimum possible value when delivering a packet.
The method was quickly refuted - the path to the resource and from the resource may not coincide ( material ) and the method will give more failures than correct answers.
However, the application is still there, the default TTL in Linux is 64, in Windows it is 128. These large differences will help determine the OS of the remote host in some cases.
Determining the use of a firewall (For Win)
The method is very simple, however, it is suitable only for Win systems where products like Kaspersky Internet Security are widely used. Placing the virus code in the picture to track its blocking is not difficult - the resource can be blocked for a long time, the picture will never fall into the cache.
Host scan
This may be necessary, but here you have to be as careful as possible - when such activity is detected, nothing good shines.
Conclusion
If you have a website, think, and you need so many problems because of one feature?
UPD1:
baadf00d in the comments reminded about DNS leaks (they allow you to determine which DNS server to use, sometimes itβs a provider).
Google's public servers:
8.8.8.8 8.8.4.4 Firefox Settings (about: config): network.proxy.socks_remote_dns = 1 Source: https://habr.com/ru/post/196984/
All Articles