I hope that the ability to block XSHM attacks (Browser History Manipulation) has been developed.


New Member
notice: This thread has been translated to Google Translator.

Description of XSHM: https://www.owasp.org/index.php/Cross_Site_History_Manipulation_(XSHM)

This attack is increasingly being used to force an ad to be viewed. By manipulating the browser's history and clicking Back, you're going to go to the ad site. Ads appear to be blocked by Adguard, but they do not seem to prevent browser history manipulation. This can be used as evidence for the attached images.(vidio is too large) Until now, XSHM attacks have been known to be set up separately in chrome. In fact, Chrome was not attacked because it was configured, but other web browsers were attacked even though Adguard was applied.

Also, if you use it maliciously, you can keep your history constantly manipulating it so that it does not get out of your ad site. This is often seen on illegal sites, and these ads are very malicious (for example: "I have detected 14 malware on your smartphone!" And vibrate your smartphone. If I try to get out of that site, I get back to the same site again and notice and vibrate again.) So I can't prepare some screenshot.

Now, let's look at the thumbnails below.
The korean times.mp4_thumbs_[2018.11.13_11.13.46].jpg

I pressed Back at the 8th thumbnail. It has been moved to the newspaper company's homepage (because it came as a newspaper article to the search site, you should return to the Google search result if it is normal) because of XSHM attack. There are ads on that homepage, but ads are blocked by AdGuard. Also, once I click Backward, AdGuard comes up with a blocked ad page. Site ads are blocked, but they are not blocked from being manipulated to register the ad page in the history.

The ad itself can be blocked by reporting it by default, but it does not prevent browser history manipulation. In addition, XSHM can be used for a variety of exploits, even excluding ads, as shown in the top link. And because it is the most frequent on the mobile page, it is posted on the Android side of the forum, but sometimes it happens on the website of the desktop environment. However, in the browser, only chrome measures have been prepared, and you have to set it separately. So it would be a good idea to prepare the Ad-block products like Adguard.

Could not you make it possible for Adguard to defend backwards from being manipulated? Or is it possible to manipulate the filter with a similar effect?

(Another screenshot attached is an example where an ad was not blocked by AdGuard as an XSHM attack occurred. However, since it is a thumbnail obtained from illegal comic sharing site, it could cause unpleasantness and did not show the picture directly.)