Skip to main content
Amit Klein's security corner

Main menu

  • Academia-related
  • Advanced web application attacks
  • DNS X-Ray
  • DNS cache poisoning
  • Home
  • Predictable Javascript Math.Random and HTTP multipart boundary string
  • Public appearances
  • Recent (non-Academic) Research
  • Standards, community, etc.
  • Usenix 2019 *extended* paper
  • Web application security - the early days
  • Web-based virtual machine detection
  • XML and SOAP attacks

You are here

Home

Blog

  • BlackHat and DefCon 2017
  • Black Hat USA 2016
  • Perfect exflitration slides
  • HTTP Response Splitting in Node.js
  • Web-based VM detection with HTML5
  • (NIH) WebRTC exposes internal IP addresses

Predictable Javascript Math.Random and HTTP multipart boundary string

In 2008-2010 I researched common Javascript Math.Random implementations, and multipart boundary strings. I found them to be predictable in all major browsers, and I explored the security and privacy implications (e.g. a limited form of user tracking, and [surprisingly] over-the-web VM detection).

Temporary user tracking in major browsers and Cross-domain information leakage and attacks (June 8th, 2009)
CVE-2008-5913, BugTraq ID 33276

Google Chrome 3.0 (Beta) Math.random vulnerability (August 31st, 2009)
BugTraq ID 36185

Cross-domain information leakage in Firefox 3.6.4-3.6.8, Firefox 3.5.10-3.5.11 and Firefox 4.0 Beta1 (September 14th, 2010)
BugTraq ID 43222, CVE-2010-3171, CVE-2010-3399, MFSA2010-33

Google Chrome 6.0 and above Math.random vulnerability (November 16th, 2010)

Cross-domain information leakage and Temporary user tracking attacks in Apple Safari 4.0.2-4.0.5 and Apple Safari 5.0-5.0.2 (Windows) (November 21st, 2010)
CVE-2010-3804, BugTraq ID 44952

Detecting virtualization over the web with IE9 (platform preview) and Semi-permanent computer fingerprinting and user tracking in IE9 (platform preview) (December 2nd, 2010)



 

Advisories

  • HTTP Response Splitting in Node.js
  • Web-based VM detection with HTML5 Performance Object
  • Safari PASV vulnerability
  • The "localhosed" attack - stealing IE local cookies
  • Filezilla FTP server advisory