Cross-Site History Manipulation (XSHM) is a SOP (Same Origin Policy) security breach. SOP is the most important security concept of modern browsers. SOP means that web pages from different origins by design cannot communicate with each other. Cross-Site History Manipulation breach is based on the fact that client-side browser history object is not properly partitioned on a per-site basis. Manipulating browser history may lead to SOP compromising, allow bi-directional CSRF and other exploitations such as: user privacy violation, login status detection, resources mapping, sensitive information inferring, users’ activity tracking and URL parameter stealing.
By manipulating the browser history it is possible to compromise SOP and violate user privacy. Using CSRF in conjunction with history manipulation, not only integrity but also confidentiality can be targeted. Feedbacks from a different origin can be accessed and Cross-Site information leakage is achieved.
The following attack vectors based on techniques of XSHM are possible:
+ Cross-Site Condition Leakage
+-+ Login Detection
+-+ Resource Mapping
+-+ Error Leakage
+-+ State Detection
+-+ Information Inference
+ Cross-Site User Tracking
+ Cross-Site URL/Parameters Enumeration
git clone https://github.com/xamfp/XSHM-Payload-Generator && cd XSHM-Payload-Generator
then open browser http://127.0.0.1:5000/