History Stuffing with HTML5


The HTML5 history API is a standardized way to manipulate the browser history. Using the history.pushState method, you can immediately change the URL in the location bar, as well as add a state object entry into the browser history.

It's certainly convenient and well adopted today, allowing companies such as Twitter and Facebook to eliminate the use of fragment identifiers (#). However, along with convenience comes a new risk. By abusing the pushState method, we're able to conduct History Stuffing.




What is History Stuffing?

History Stuffing is a technique used to fill the browsers history. With pushState, you can stuff specific keywords into history, which later the browser will suggest when the user is typing in their location bar. As an example, if a user were to type facebook.com in their location bar, they will then encounter a stuffed entry:


With enough users stuffed, there's plenty of different ways this can be abused. To name some:



Demo

To illustrate this technique, we're going to history stuff the Alexa Top 500 Sites:





comments powered by Disqus