JavaScript Visited Link Scanner
This is a technique that I’ve learned from Jeremiah Grossman and his presentation on JavaScript malware. Please, keep all the credits for this finding to Jeremiah.
The POC presented here is my improved version of the POC presented in BlackHat. I made it work in IE6, IE7, Firefox and Opera. IE6 is very nasty when dealing with dynamically generated style sheets. However, these can be easy solved by reusing the current style sheet. If you are interested how it works just read the source code. It is worth mentioning that the IE bug was fixed in AttackAPI.
“True” means that you have visited the link. Given large enough set of popular urls, attackers can discover which websites you like visiting and as such construct accurate profile of your activities.
comments
Wow, the code looks awesome, but is there any way that I store all the visited pages to a text document. I need it for my project.
Well, you need a server to that will handle all the gatered data and then store it into a simple text file. You can use PHP or any other scripting language for this.
Hi,
I have tested this javascript-visited-link-scanner on several computers that have IE7 installed.
Unfortuantly it didn’t worked.
Am i doing something wrong, Or this a known problem with this java script scanner?
what is this use for?
jk, it is useful if you want to detect where the user has been before arriving on the malicious site.
Your demo doesn’t work in Safari. (the approach works, though)
alf, that might be the case. keep in mind though that the latest stuff are inside AttackAPI.
Hey, I looked at java script, can you explain me where are you stealing the history from, I didn’t get the trick
yeah no go in ie6 windows for me…
kind of pissed I didn’t test it on the site beforehand. :(
the technique has been improved drastically since the early days. You should be able to find better code in AttackAPI. Nevertheless, the current version of AttackAPI is a bit broken. I will try to fix it at some point in the future when I’ve got some time.