Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Re: [WEB SECURITY] Stealing Search Engine Queries with JavaScript

Re: [WEB SECURITY] Stealing Search Engine Queries with JavaScript

From: Brian Eaton <eaton.lists_at_gmail.com>
Date: Fri, 29 Sep 2006 15:18:44 -0400

On 9/29/06, Billy Hoffman <Billy.Hoffman_at_spidynamics.com> wrote:
> Possible uses:
>
> -HMO's website could check if a visitor has been searching other sites about
> cancer, cancer treatments, or drug rehab centers.
>
> -Advertising networks could gather information about which topics someone is
> interested based on their search history and use that to echance their
> customer databases.
>
> -Government websites could see if a visitor has been searching for
> bomb-making instructions.

Correct me if I'm wrong, but it looks like the technique only works if
you can guess the entire set of search terms the user entered.

For example, let's say I searched for "XSS hack". The technique won't
work if the attacking web site checks only for "XSS", or only for
"hack". The technique does reveal that I searched for "XSS hack"
though.

Regards,
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Sep 29 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]