Unlike Jeremiah’s technique this does not use a timing attack, however it is pretty limited since it is slow (due to the extremely long timeouts associated with servers that aren’t there) and the fact you can’t make decisions based on the results you get from the attack since the page isn’t dynamic. Very interesting stuff though. Nice job, Hong!
And before I forget Sid Stamm alerted me to another place on the web that mentioned using CSS as a history stealing attack as early as in 2002 (where was I)? Anyway, I just wanted to make right on that. Not that I stole the idea, but I certainly didn’t come up with it first.