A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


HTTP Covert channel using only HTML/CSS - Thomas Slota (BSides Tampa 2020) (Hacking Illustrated Series InfoSec Tutorial Videos)

HTTP Covert channel using only HTML/CSS
Thomas Slota
William York
BSides Tampa 2020

Abstract:
A covert channel is a secretive communication channel that can bypass traditional security measures. They provide a means of communicating through mechanisms that are not intended for communication. In this paper, we propose a covert channel that utilizes only HTML and the CSS hover feature to transmit messages. To do this, we create a website with our covert channel on a web page and develop a tool that converts a plain ASCII message to hex, and based on the CSS hover locations, control the mouse to move to the hover locations. A manual implementation of this was explored. However, the manual transmission had a larger margin for error compared to program-driven mouse control. The covert channel takes advantage of the fact that this is a new CSS only mouse-tracking technique using the hover feature, which can bypass common tracking protections. The covert channel is hidden to blend in with the background of any given web page. Our results show that we can reliably transmit a message at a rate of 13 bytes per second utilizing the mouse control transmission tool.

Bio:
Slota: Received a Bachelor's Degree from Rochester Institute of Technology in Computing Security in the Spring of 2019. Completed 3 Internships at Leidos Corporation focusing on Software Defined Networking. Currently I am a first year Computing Security Masters student at Rochester Institute of Technology with a focus in Malware

York:Student at RIT finishing my Bachelors degree in Computer Science and a Masters in Computer Security, graduating May 2020. Have done four work tours with the Department of Defense as a Software Engineer. .

Back to BSides Tampa 2020 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast