Re: [WEB SECURITY] client-side "transaction monitoring" beacons

[Bil Corry <bil@xxxxxxxxx>]

Hoffman, Billy wrote on 5/27/2008 2:55 PM: 
> If JavaScript is disabled a simple <NOSCRIPT><IMG SRC></NOSCRIPT>
> does the same thing, though at that point you are relying on Referer
> header which could get stripped by various privacy tools.

Or you could have the image source point to your server, and redirect from your server to the web analytics site using the GET params to pass along any pertinent information.

The sneakiest method I've come across was a site using a redirect on /favicon.ico to a web analytics site, which in turn would serve the favicon and a tracking cookie.  On Firefox (and others?), since the request for favicon.ico happens outside the normal page request, you can't use AdBlock or a similar mechanism to block favicon.ico; you can, however, block the cookie.  I turned off favicons in Firefox to prevent this type of tracking.


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA