Web browser hacking techniques are frequently platform dependent. Creating stable and cross-platform proof-of-concept code is often challenging. So it is helpful for a [malicious] website, such as http://maliciouswebsite/, to learn everything it can about a visiting browser before executing a real-world attack. We can loosely describe this process as “browser interrogation.”
Browser interrogation is important is to understand because it is used pervasively across the Web – it’s what makes browser tracking and device fingerprinting possible. The more someone knows about a browser’s particular configuration, the more accurately tracking companies can follow it from one website to the next — even if the browser’s cookies are deleted. It turns out that a browser’s configuration is often highly unique. The EFF’s Panopticlick project provides some fantastic insights in this area.
For our purposes here, we just want to create stable browser attacks. Below are explanations of many of the basic techniques (and a few advanced examples) of browser interrogation. Operating System and Browser Type via User-Agent Headers The easiest way to begin learning to perform browser interrogation is by having a look at the User-Agent header. User-Agent is a header that’s optionally sent with every Web request a browser makes. They reveal to every website — websites like http://maliciouswebsite/ — the distribution and version of your browser and operating system. These are incredibly useful bits of intelligence when attempting to carry out further browser attacks. Example: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 In this case, the visitor’s computer’s operating system is running on an Intel Mac OS X 10.7.5 and the browser being used is Google Chrome version 21.0.1180.89. Of course it is possible for the browser to spoof or suppress this information, that is misinform the website, however the vast majority of people do not do this. Doing so often breaks website whose cross-browser Web code depends on User-Agent data. Language Setting, ActiveX Support, and the Referer. Language Setting: A browser’s language setting is a strong indication of where the visitor is geographically located and how to localize an attack if user interaction is required. There are two places to get the language setting. 1) The Accept-Language header that’s sent along with each Web request. As we can see, the person is probably English-speaking.
- … Series Introduction
- …A LOT About Your Web Browser and Computer
- …The Country, Town, and City You Are Connecting From (IP Geolocation)
- …What Websites You Are Logged-In To (Login-Detection via CSRF)
- … I Know Your Name, and Probably a Whole Lot More (Deanonymization via Likejacking, Followjacking, etc.)
- … Who You Work For
- … Your [Corporate] Email Address, and more…
- … Summary and Guidance