JavaScript Visited Link Scanner

Tue, 15 Aug 2006 20:50:51 GMT
by pdp

This is a technique which I learned from Jeremiah Grossman and his presentation on JavaScript malware. Please, keep all the credits for this finding to Jeremiah.

The POC presented here is my improved version of the POC presented in BlackHat. I made it work in IE6, IE7, Firefox and Opera. My main challenge was IE6. IE6 is very nasty when dealing with dynamically generated style sheets. However, these can be easy solved by reusing the current style sheet. If you are interested how it works just read the source code. It is worth mentioning that the IE bug was also fixed in AttackAPI.

Archived Comments

Wow, the code looks awesome, but is there any way that I store all the visited pages to a text document. I need it for my project.
Well, you need a server that will handle all the gathered data and then store it into a simple text file. You can use PHP or any other scripting language for this purpose.
Hi, I have tested this javascript-visited-link-scanner on several computers that have IE7 installed. Unfortuantly it didn't worked. Am i doing something wrong, Or this a known problem with this java script scanner?
what is this use for?
jk, it is useful if you want to detect where the user has been before arriving on the malicious site.
Your demo doesn't work in Safari. (the approach works, though)
alf, that might be the case. keep in mind though that the latest stuff are inside AttackAPI.
Hey, I looked at java script, can you explain me where are you stealing the history from, I didn't get the trick
yeah no go in ie6 windows for me... kind of pissed I didn't test it on the site beforehand. :(
the technique has been improved drastically since its discovery. You should be able to find better code in AttackAPI. Nevertheless, the current version of AttackAPI is a bit broken. I will try to fix it at some point in the future when I have got some time.