3

Some days ago, I was studying Web Programming for academic purposes. So I was learning SQL Injection by applying it on a sample website sqlzoo.net/hack/

But soon after it, in the Google ads on every page, every ad has been of "acunetix - Learn to prevent SQL Injection attacks". I don't get ads of other categories. Why do I only get ads of how to protect my PC and relating to SQL injection?

Amazed i am, I want to know how Google tracks my page transitions.

Abdussami Tayyab
  • 61
  • 6
  • Are you sure you didn't search sql injection or something related in Google search? To add to the responses below about cookies, cookies are also sent to the server even if you are not visiting a Google site but any site that makes any call to Google. For example, it could be because that site is using Google APIs (e.g downloading javascript), using a Google widget, or using Google authentication, etc. See this article on how Facebook tracks users, it might be helpful: http://blogs.msdn.com/b/james_brown/archive/2010/12/07/gov2-0-and-facebook-like-buttons.aspx – Omer Iqbal Jun 28 '14 at 20:48
  • Oh nice! Enhanced my knowledge. Cheers. – Abdussami Tayyab Jun 28 '14 at 23:34
  • @OmerIqbal Not quite correct. Google serves up CDN content via googleapis.com precisely because they do not want you to send their google.com cookies with each request so that the request is smaller and loading is faster. They do, however, have your IP address and maybe referer (not sure whether that is sent when a script is referenced with – Chris Jun 29 '14 at 01:00
  • @Chris Indeed. You are right. I must be sleeping when I wrote that comment because one domain's cookie (google.com) is not exchanged when a different domain is used (googleapis.com). Thanks for pointing that one out. – Omer Iqbal Jun 29 '14 at 03:30
  • @OmerIqbal in the James Brown link you gave, he used a software "httpwatch". Where can I find a documentation for that? I am really interested in knowing Referer and file loading procedure for websites. – Abdussami Tayyab Jun 29 '14 at 19:04
  • @AbdussamiTayyab Just search it my friend :-) You'll find it, it's very popular. The other one you could use is Fiddler, which will also give you all the traffic that is being exchanged. – Omer Iqbal Jun 29 '14 at 23:47
  • 1
    All major browsers come with a developer console. Firefox, Chromium and IE all let you view requests including all headers there. This might be more convenient as a lot of traffic nowadays is encrypted using TLS so you will not see a lot using sniffing tools. – Chris Jun 30 '14 at 15:23

2 Answers2

1

Google uses what are called cookies to do this. Nearly every website uses cookies of some form.

From Wikipedia:

A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user's previous activity.1

Here's some information about Google's cookies: https://www.google.com/policies/technologies/types/

Eric Lagergren
  • 2,331
  • 1
  • 12
  • 13
  • Okay, so Google does generate ads according to the cookies' data. But how does Google select ad category? I mean, I visit many other different websites having different data. Why do I only see SQL Injection Prevention ads, to be precise? I hope I haven't been irrelevant. – Abdussami Tayyab Jun 07 '14 at 17:10
  • @AbdussamiTayyab I can't exactly tell you that, because it's dependent on Google's algorithms which, as far as I know, aren't public – Eric Lagergren Jun 07 '14 at 18:05
  • @AbdussamiTayyab as an extra addition you can block google.com to set cookies on your machine, should you be annoyed by ads that followup your search – elsadek Jun 07 '14 at 19:11
1

There are several ways of tracking a user on the web.

  • Cookies have already been mentioned in the other answer. Essentially, they are small pieces of data that websites can store and read from your computer. Usually they generate a unique identifier for you and store it in a cookie.
  • Every browser supplies a User Agent string with each request. This string has version information about your browser and your operating system in it. You can see your own user agent e.g. on http://user-agent-string.info/parse
  • Whenever you make a request via the internet the other party will see your IP address. Nowadays it is very common to put several computers behind a router which means that all these people will have the same IP address. If you are working in a small office it is likely that you have this setup so all your machines will appear to servers on the internet with the same IP address.
  • Most browser always send referer information along when you click a link. This contains the URL of the page on which you clicked the link. It allows e.g. website administrators to track how people are finding their content.

Which of these pieces of information Google is using is something that only a Google employee will be able to tell you. Depending on how much effort you want to put into it you can track someone without using cookies by only looking at the other data.

Depending on how afraid you are of being tracked you can take countermeasures: While most browsers do not natively support changing the user agent there are usually plugins to do this. The use of referers can also sometimes be deactivated in the browser. Your IP address can be masked by hiding behind a VPN or the TOR network.

Note, though, that depending on your surfing habits Google might still be able to track you using only the information which URLs you visited at what time (provided they get that from their advertisements which seems plausible). You probably exhibit unique behavior and as long as you don't browse completely atypical (e.g. never looking at more than one page of content per website, never looking at content-related pages etc.) it might still be possible to identify you.

Chris
  • 652
  • 6
  • 12
  • And there is no reason why any advertisement company can't use all these. Start with cookie, if not found (or no useful info), check IP, check referrer, etc. and use whatever information. It is likely to be much better than showing completely random ads. – Omer Iqbal Jun 28 '14 at 20:50