Sniffly: Uses HSTS and CSP to sniff browser history

Sniffly: Uses HSTS and CSP to sniff browser history

 

 

Sniffly is an attack by using HSTS (HTTP Strict Transport Security) and Content Security Policy (Content Security Policy). It allows any website to sniff the user's browser history. This technology was tested in Firefox and Chrome browsers.

Demo

First, you can use Firefox/Chrome/Opera for the DEMO, but disable HTTPS first.

Demo address: Sniffly (before opening, please confirm whether to use Firefox/Chrome/operabrowser to open it, otherwise it may cause other browsers to crash)

Working Principle

 

First, we recommend that you read the src/index. js in the source file to understand how Sniffly works.

The following describes how it works:

1. First, the user will first access the webpage embedded with Sniffly; 2. Then, the browser will first attempt to download images from the server using the http protocol; 3. At this time, Sniffly shields image downloads by setting a CSP (Content Filtering Policy) to block redirection from http to https. This is an important step. If the browser completes the https URL request, it will then directly receive the pin code sent by hsts, And the next attack will be difficult to implement. 4. When the image is interrupted by CSP, The onerror processing program will be called. In this case, the onerror processing program tracks and computes the time when the image is redirected from HTTP to HTTPS. If the time is within milliseconds, this means that the browser does not need to send network requests, that is, the user has previously accessed the target domain name. If the time is about 100 milliseconds, this means that the browser needs to send a network request, that is, the user has not accessed the target domain name before.

Find the HSTS host address

Add to the website list to check which host sends the HSTS message header information,

$ cd util$ ./run.sh 
 
   > results.log
 

In the initial configuration, there are 100 URLs. You can also use different URL lists for detection based on the actual environment, such as the top 1 million in the Alexa ranking.

The results are processed and classified using the maximum time span, and those with the maximum time span less than one day and pre-downloaded are excluded first.

$ cd util$ ./process.py 
 
   > processed.log
 

After execution, you can copy the host address from process. log to src/index. js.

Run

 

Access file: // path/to/sniffly/src/index.html in Chrome. In Firefox, tags are obviously not supported for CSP header information. Therefore, you need to create a local network server to respond to csp http response header information. The functional modules of my Nginx server are as follows,

server {    listen 8081;    server_name localhost;    location / {        root /path/to/sniffly/src;        add_header Content-Security-Policy "img-src http:";        index index.html;    }}

Or use the distributed configuration file. htaccess

 
  Header set Content-Security-Policy "img-src http:"
 

Or send the header information through php.

Paste the following code snippet at the beginning of the script (remember to change index. php name)

Tip

1. Currently, Safari, IE, o, or Chrome (iOS) is not supported. 2. Disable HTTPS. browser extension functions such as HTTPS will confuse the results. 3. Do not use Tor browser, because the time statistics will be rounded to nearly 100 ms. 4. If you have different HSTS presets (because of browsers of earlier versions), you may not see the accurate results.