JavaScript Visited Link Scanner

Tue, 15 Aug 2006 20:50:51 GMT

This is a technique which I learned from Jeremiah Grossman and his presentation on JavaScript malware. Please, keep all the credits for this finding to Jeremiah.

The POC presented here is my improved version of the POC presented in BlackHat. I made it work in IE6, IE7, Firefox and Opera. My main challenge was IE6. IE6 is very nasty when dealing with dynamically generated style sheets. However, these can be easy solved by reusing the current style sheet. If you are interested how it works just read the source code. It is worth mentioning that the IE bug was also fixed in AttackAPI.

KalyaniKalyani
Wow, the code looks awesome, but is there any way that I store all the visited pages to a text document. I need it for my project.
pdppdp
Well, you need a server that will handle all the gathered data and then store it into a simple text file. You can use PHP or any other scripting language for this purpose.
NadavNadav
Hi, I have tested this javascript-visited-link-scanner on several computers that have IE7 installed. Unfortuantly it didn't worked. Am i doing something wrong, Or this a known problem with this java script scanner?
jkjk
what is this use for?
pdppdp
jk, it is useful if you want to detect where the user has been before arriving on the malicious site.
alfalf
Your demo doesn't work in Safari. (the approach works, though)
pdppdp
alf, that might be the case. keep in mind though that the latest stuff are inside AttackAPI.
kalyanikalyani
Hey, I looked at java script, can you explain me where are you stealing the history from, I didn't get the trick
dude1dude1
yeah no go in ie6 windows for me... kind of pissed I didn't test it on the site beforehand. :(
pdppdp
the technique has been improved drastically since its discovery. You should be able to find better code in AttackAPI. Nevertheless, the current version of AttackAPI is a bit broken. I will try to fix it at some point in the future when I have got some time.