Bugtraq
mailing list archives
By Date
By Thread
CSS visited pages disclosure
From: Andrew Clover <and () doxdesk com>
Date: Wed, 20 Feb 2002 10:06:45 +0000
Affected: web browsers with CSS support
Vendor: various
Risk: low
Background
==========
In www.cs.princeton.edu/sip/pub/webtiming.pdf , Felten and
Schneider outline a method for pages on an attacking server to
detect whether pages on another server have been visited, by
trying to fetch a URL from the target server and using the time
taken to fetch it to guess whether the URL was in the browser's
local cache.
A method is also suggested to use the browser cache, read this
way, as a store for persistent user data ("cache cookies").
CSS has a feature that can be abused to exactly the same ends. It
is simpler, more accurate, and more easily abused than the timing
attacks described in the above paper.
Issue
=====
The CSS :visited pseudo-class can be used to apply different on-
screen styling to links leading to pages the user has already
visited. However the styling can have side effects which can be
detected by the attacking server. For example, the page at
www.smith-widgets.foo/ could include the following markup:
<a id="jones" class="www.jones-widgets.foo"></a>
with the style:
#jones:visited { "/images/left-icon-16x16.png" border=0 > By Date
By Thread
Current thread:
- CSS visited pages disclosure Andrew Clover (Feb 20)
|