search

samyk / evercookie

Produces persistent, respawning "super" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they've removed standard cookies and other privacy data such as Flash cookies (LSOs), HTML5 storage, SilverLight storage, and others.
https://samy.pl/evercookie/
4.43k stars 662 forks source link

Support "the HSTS cookie" #17

Open graingert opened 12 years ago

graingert commented 12 years ago

http://hstscookie.ca/ has a demo fro storing cookies via HSTS browser records:

From the site "The HSTS cookie cannot be removed by clearing your cookies. It will be deleted if you clear 'site preferences', however, doing that will also clear a lot of useful information and expire the HSTS pins for other sites."

SleepProgger commented 8 years ago

I just wrote a POC for that (see https://github.com/SleepProgger/hsts-cookie-poc ). If there is interest i would dig into the evercookie src, merge and send a pull request.

There is a limitations with this technique though: You need to have an wildcard certificate or enough valid certificates. At least Firefox ignores the HSTS Header if the certificate is untrusted (self signed)

samyk commented 8 years ago

Very cool, would love that! The different methods in evercookie are pretty well segregated, you just need a read function, write function and the callers.