A few days ago I posted about how to control cross site scripting remotely. This is a pretty powerful tool in the web application security toolkit - specifically for attackers attempting to mount remote attacks. I did fail to mention one thing about this. But let me start from the beginning. Once upon a time, I was trying to get Gerv to implement content restrictions and additionally dynamically resizing iframes based on the embedded content. Both had their uses for isolating user information in another domain or at minimum restricting what they can do in the realm of the page they are residing on. The bug had issues going through as it is deemed a security issue to know the state of a user on another site via cross site request forgeries.
Then I started thinking about how my own image controlled XSS worked. Because I now know the size of an image hosted remotely, I could also potentially know the state of the user. Picture a dynamic image that, based on user state, changed it’s actual size. It’s a fairly tricky thing to do, and very rare, but I have seen it before, “Hello, user!” verses “Hello, RSnake!” which is dynamically generated to suit the user.
There is another application that I haven’t figured out a good use for, but via things like PHP easter eggs, Apache default icons, etc… you can actually fingerprint the machine remotely. I don’t see what value this has, particularly, unless you are using the XSS proxy idea and you really never want to touch the machine in question at all.