HSTS and Cookie Side-Channels: Stealing Browser History

Presented at DeepSec 2016 „Ten“, Unknown date/time (Unknown duration).

In this talk we show that HSTS headers and long-term cookies (like those used for user tracking) are so prevailing that they allow a malicious Wi-Fi operator (or any other MiTM attacker) to gain significant knowledge about the past browsing history of users. We demonstrate how to combine both into a history stealing attack by including specially crafted references into a captive portal or by injecting them into legitimate HTTP traffic. Captive portals are used on many Wi-Fi Internet hotspots to display the user a message, like a login page or an acceptable use policy before they are connected to the Internet. They are typically found in public places such as airports, train stations, or restaurants. Such systems have been known to be troublesome for many reasons.

Presenters:

• Adrian Dabrowski / atrox - SBA Research   as Adrian Dabrowski
  Adrian Dabrowski is researcher at SBA Research and lecturer at TU Wien. Besides playing CTFs his main topics are RFID and mobile phone access network security.

Links:

• https://deepsec.net/archive/2016.deepsec.net/speaker.html#PSLOT286
• https://infocon.org/cons/DeepSec/DeepSec 2016/HSTS and Cookie Side-Channels - Stealing Browser History.mp4

Similar Presentations:

• DEF CON 23 (2015) / Guests N' Goblins: Exposing Wi-Fi Exfiltration Risks and Mitigation techniques
• Black Hat Europe 2017 / Wi-Fi Direct to Hell: Attacking Wi-Fi Direct Protocol Implementations
• Black Hat Asia 2020 Virtual / WIFI-Important Remote Attack Surface: Threat is Expanding