Ajax: mouse postion tracker
Ajax is a powerful approach.
But, a programmer can implement a very harmful code, I think.
To test my idea, I've coded "mouse poistion tracker" with Ajax.
Consder the following example code.
<html> <body> <script> // Note: this code only works in Microsoft Internet Explorer. function mouse() { x = event.x + document.body.scrollLeft; y = event.y + document.body.scrollTop; //alert('x = ' + x + ', y = ' + y); http = new ActiveXObject("Microsoft.XMLHTTP"); http.open('get', 'mouse.php?x' + x + '&y=' + y); http.send(null); } document.onmousemove = mouse; </script> </body> </html>
The code above can be used to track the mouse movement of a site visitor.
Tracking is performed with realtime!
The visitor will NOT notice what is performed in this site.
What a terrible thing to do!
The administrator of the site can check the access log.
# tail -f /usr/local/apache2/logs/access_log [...] [18/Jun/2005:15:33:05 +0900] "GET .../test/mouse.php?x197&y=153 HTTP/1.1" 200 1 [18/Jun/2005:15:33:05 +0900] "GET .../test/mouse.php?x286&y=145 HTTP/1.1" 200 1 [18/Jun/2005:15:33:06 +0900] "GET .../test/mouse.php?x282&y=144 HTTP/1.1" 200 1 [18/Jun/2005:15:33:06 +0900] "GET .../test/mouse.php?x268&y=143 HTTP/1.1" 200 1 [18/Jun/2005:15:33:06 +0900] "GET .../test/mouse.php?x250&y=140 HTTP/1.1" 200 1 [18/Jun/2005:15:33:06 +0900] "GET .../test/mouse.php?x232&y=137 HTTP/1.1" 200 1
I have a question.
When an attacker injects the JavaScript code to a XSS vulnerable site, what will happen?