Disclosure of user data using css
Technology css despite its external harmlessness can present unpleasant surprises. For example, using two styles and a small javascript insert, we get the opportunity to check absolutely any address for the fact of its visiting by the user.
All modern browsers allow the use of special pseudo classes when manipulating link styles. We are interested in the class visited , assigned to the link in the event that the user has already visited the address specified in its href. At first glance, this approach bears only a positive result - the user sees already visited links on the page and is not confused.
But web pages have long been not only the code of styles and markup, but also an abundance of script inserts, without which many sites simply do not function. JavaScript code has access to any element of the DOM tree and its properties and, therefore, can get information about link styles.
Thus, marking the visited links in a different color than in the normal state and checking the color in the script, one can say whether the user has visited a specific address or not.
"Just think, the problem!" - The average user can say. But no matter how insignificant this problem may seem, it is not worthwhile to underestimate it. Any possibility of disclosing data in the right hands can play a bad joke. How will an intruder behave when he learns that you are visiting the site of sadomasochistic hamster lovers? And in particular the section, for example, red hamsters? Perhaps this will not give him anything, and perhaps will be the first step in collecting information about you for further blackmail ( add paranoia to boost the atmosphere :)).
Also, this technique can be used with certain restrictions for brute-force Basic HTTP authorization .
')
To disclose data, you need to know their potential values, which means that any link on the Internet cannot be verified, and this requires the attacker to enter an array of data that will be checked (although, see Example 2 below).
“A blessing in disguise” - no one will hurt to use this technology for peaceful purposes, for example, on a social network page that allows you to import data from other networks, initially display only those that the user visits.
Or, the store page, knowing that a user has visited a competitors site, can automatically connect a promotional code that lowers prices.
Checks on visiting your Habrappuser profiles from the first People page
Script
Enumerates domain names in the zone .ru and displays a list of visited.
Script
Use caution, may hang the system. Results do not appear immediately, and only domains up to 3 letters inclusive are checked. (Will end with take = 470).
This, of course, is a bad approach; it is much better to load lists of links as you work (for example, from directories).
http://www.gnucitizen.org/blog/javascript-visited-link-scanner/
Theory:
All modern browsers allow the use of special pseudo classes when manipulating link styles. We are interested in the class visited , assigned to the link in the event that the user has already visited the address specified in its href. At first glance, this approach bears only a positive result - the user sees already visited links on the page and is not confused.
But web pages have long been not only the code of styles and markup, but also an abundance of script inserts, without which many sites simply do not function. JavaScript code has access to any element of the DOM tree and its properties and, therefore, can get information about link styles.
Thus, marking the visited links in a different color than in the normal state and checking the color in the script, one can say whether the user has visited a specific address or not.
And why is it bad?
"Just think, the problem!" - The average user can say. But no matter how insignificant this problem may seem, it is not worthwhile to underestimate it. Any possibility of disclosing data in the right hands can play a bad joke. How will an intruder behave when he learns that you are visiting the site of sadomasochistic hamster lovers? And in particular the section, for example, red hamsters? Perhaps this will not give him anything, and perhaps will be the first step in collecting information about you for further blackmail ( add paranoia to boost the atmosphere :)).
Also, this technique can be used with certain restrictions for brute-force Basic HTTP authorization .
')
Restrictions
To disclose data, you need to know their potential values, which means that any link on the Internet cannot be verified, and this requires the attacker to enter an array of data that will be checked (although, see Example 2 below).
Is there any benefit from this
“A blessing in disguise” - no one will hurt to use this technology for peaceful purposes, for example, on a social network page that allows you to import data from other networks, initially display only those that the user visits.
Or, the store page, knowing that a user has visited a competitors site, can automatically connect a promotional code that lowers prices.
Examples of real code:
HabroUzerChecker
Checks on visiting your Habrappuser profiles from the first People page
Script
Domain Brute Forcer
Enumerates domain names in the zone .ru and displays a list of visited.
Script
Use caution, may hang the system. Results do not appear immediately, and only domains up to 3 letters inclusive are checked. (Will end with take = 470).
This, of course, is a bad approach; it is much better to load lists of links as you work (for example, from directories).
Information sources:
http://www.gnucitizen.org/blog/javascript-visited-link-scanner/
Source: https://habr.com/ru/post/46595/
All Articles