About XSHM (Cross-Site History Manipulation)

Surging clouds

Foreigners are also keen on the concept of hyping. If you have any skills, you will like to name yourself.

I keep this name out of respect for the author.

Original article reference:

Http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00150.html

At first glance, it seems like css history hack is similar to the previous one. In fact, the principle is still different.

The browser's history object is a special one. Unlike browsing history, this object is not saved locally and does not have so much content.

The history object is the browser's access history in the lifecycle, such as the tab page. It is used to provide operations such as "Forward" and "back.

In firebug, we can see that this object has the following attributes:



The url saved in the history object is a list, which is unreadable due to the same-source policy (SOP.

However, history. length is readable, and XSHM uses history. length to be readable. At the same time, some URLs change the length characteristics to complete information spying.

The details are as follows:
Browser History is a global list of pages that have been visited using a browser tab.
By pressing the back and forward buttons of a browser, a user jumps through her browser
History. If a page contains IFRAME, any location changes inside IFRAME are also
Recorded in the browsers history. Consequently, opening the same URL multiple times
Will insert only one entry into the history list.If a user opens Page A and this page uses
The HTTP Redirect directive to open Page B, only Page B will be stored in the browser ‟ s
History.

Note the last bold sentence,If a redirection occurs, the history object will only add the final page to which the redirection is directed. The same page will not repeat into the list of history objects.

With this feature, we can implement a lot of cross-origin spying.

Algorithm:
1. Create IFRAME with src = Page B
2. Remember the current value of history. length
3. Change src of IFRAME to Page
4. If the value of history. length is the same-then the CONDITION is TRUE

For example, the author's example checks whether a user has logged on:
Appendix 1
Login Detection Script for Internet Explorer

<Html>
<Head>
<Title> Cross-Site Login Detection </title>
</Head>
<Body>
<Form id = "form1">
<Div>
<Iframe src = Login. aspx id = myframe
Onload = checkHistory ()> </iframe>
</Div>
</Form>
</Body>
</Html>

<Script language = "javascript" type = "text/javascript">
Var prevHLength =-1;

Function checkHistory (){
If (prevHLength =-1 ){
PrevHLength = history. length;
Document. getElementById (myframe). src =Protected. aspx; // Change the src of iframe. If you do not log on, the logon page is displayed.
}
Else {
If (prevHLength = history. length ){// The length does not change, indicating that the jump has occurred because login. aspx is already in history.
Alert ("Not authenticated! ");
}
Else {// The length has changed. To be precise, it should be + 1, because protected. aspx is written into the history object, and the jump does not happen.
Alert ("Authenticated ");
}
}
}
</Script>


Using similar methods, the author provides many examples of practical applications. In some cases, using these methods with other vulnerabilities still plays a role.

If you are interested in this, you can read the author's paper carefully.