|
|
|
|
|
|
by blakel
4859 days ago
|
|
|
It's not a timing attack. The behavior of the browser, after appending an '#' to location.href, is different depending on the value of the current URL. The state of the browser after making such a change gives you information about what the current URL was before making the change. The information it gives you is whether or not you only appended '#.* ' to the current URL. Normally, this information is only available in this context if the current URL follows the code origin policies of the currently executing code. In most browsers, this means you can only look at current URLs if they are in the same domain as the executing code. The article shows code that exploits this to try to guess your Facebook username. This is interesting 1) because it allows for brute force attacks to gain potentially sensitive information and 2) this may cause new discoveries that could make this more efficient or that expand what is possible and 3) because this behavior is as designed. |
|
|
1) detecting URL by assigning hash + onload (iframe)
2) detecting URL by assigning hash + timing of history (window)
i just made it work for both frame/window this way