External Vulnerability Monitor

W3C CSS :visited Pseudo-Class Information Disclosure Vulnerability (2007-03-01)

Cascading Style Sheets are a series of specifications produced and published by the World Wide Web Consortium (W3C). They are intended to provide a standard for adding literal formatting and layout information to HTML documents. CSS-1 is partially implemented by most web browsers, including Netscape and Internet Explorer.

Features defined in the CSS specification include the :visited pseudo class, used to define styles used on links to previously visited pages, and the ability to include external references in style declarations. Used in conjunction, these features may lead to an information disclosure vulnerability.

An attacker must construct a malicious web page, and include a link to a known, third party web page. The attacker may then define a :visited style for this link, and includes a reference to an attacker controlled file within the style declaration. When the malicious page is loaded, the user's web browser will access the external reference only if it is required. The attacker may then monitor the access to this file, and determine if the user has visited the specified page.

The :visited style defintion may also change information which is available through the browser DOM, allowing client side scripting to detect the state of the link. The script may then take intelligent action, possibly modifying page content or layout.

This is not a normal vulnerability so much as the consequence of a variety of design decisions, including usability and efficiency of the web browser and the difficult question of what information is safe to disclose in the DOM.