When The Feature Becomes A Threat.

Publicated on : 1183533825
When the feature becomes a threat people begin to see it's danger.

While I was browsing the security list of NIST today I saw they included my site as reference for a ton of browser bugs and exploits, but one attracted my attention and that was my talk about the "feature" history.length in browsers. Every browser is more or less "vulnerable" to it. I must be careful what I say here, because it is still a browser gadget to know how many pages the surfers has been to.

But, in an article I said it can be used to determine if the user has disabled page caching or page history in a quick way. This could be useful if we want to carry out an attack that is based upon page history. Yes I was amazed that browsers let me scan the users history length these days.

So, one can see how I came from a feature to an actual reconnaissance technique, without very little effort then just the imagination. Let this be an inspiration to those who still think that file disclosure, error information, path info and cross site scripting is minor stuff and should be trivialized. One can do, but also bear the consequences when you do some day.