dxa4481/windowHijacking dxa4481/windowHijacking

  • Stars
    star
    125
  • Rank 284,672 (Top 6 %)
  • Language
    HTML
  • License
    GNU General Publi...
  • Created over 8 years ago
  • Updated over 8 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
dxa4481/windowHijacking
github

dxa4481

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A demo of altering an opened tab after a timer

Window hijacking

This is a demonstration of a website opening a new tab after a link is clicked, and then after a timer of any length, while the user is on the new page, changing the location of that new page.

Context

It's known that setting a tag with a target attribute as _blank has security risks:

https://mathiasbynens.github.io/rel-noopener/

This is because the newly opened page has the ability to change the window location of the page that opened it, with the following:

window.opener.location = "https://google.com"

However this demonstration shows a website has the ability create a new page in a new tab, and then change the location of the newly created page after an arbitrary period of time has passed. This can be achieved as follows

<script>
    var windowHijack = function(){
        window.open('https://legitloginpage.xyz', 'test');
        setTimeout(function(){window.open('https://notlegitloginpage.xyz', 'test');}, 300000);
    }
</script>
<button onclick="windowHijack()">Open Window!</button>

In the above example, a new window is opened when the button is pressed, and 5 minutes later, the new window will change locations. Even if the new tab is changed to another website, or refreshed, the original website can still change the location

Impact

Users may be tricked into clicking links that are innocent, but change to be malicious after an arbitrary period of time. For example, a link to facebook.com may take a user to facebook, however after an arbitrary period of time, the facebook.com tab may change to faceobok.com and present a user with a fraudulent cloned login page to steal credentials.

Demo 1

In this example, a legitimate login page is linked, and the timer is set to 5 seconds. When the timer expires, the legitimate login page is changed to an illegitimate login page which has a keylogger installed on it.

https://security.love/windowHijacking

Demo 2

In this secondary example, the attack is combined with Pastejacking. A legitimate serverfault.com question is linked. After being opened, a 5 second timer will change the location of the legitimate serverfault website to a malicious clone of the original serverfault page, with pastejacking code installed. This causes any user who tries to copy the answer to get "cat /etc/passwd\n" injected into their clipboard.

https://security.love/windowHijacking/index2.html

Other considerations

When performing this attack, the opened page also has the ability to also change the location of the parent page. This can be accomplished by the same window.opener method shown above for _blank links. This can be used to stop JavaScript timers on parent pages.

More Repositories

1

Pastejacking

A demo of overriding what's in a person's clipboard
HTML
1,419
star
2

WPA2-HalfHandshake-Crack

This is a POC to show it is possible to capture enough of a handshake with a user from a fake AP to crack a WPA2 network without knowing the passphrase of the actual AP.
Python
545
star
3

cssInjection

Stealing CSRF tokens with CSS injection (without iFrames)
HTML
306
star
4

Snapper

A security tool for grabbing screenshots of many web hosts
Python
290
star
5

truffleHogRegexes

These are the regexes that power truffleHog
Python
192
star
6

gcploit

These are tools we released with our 2020 defcon/blackhat talk https://www.youtube.com/watch?v=Ml09R38jpok
Python
155
star
7

XSSJacking

Abusing Self-XSS and Clickjacking to trigger XSS
HTML
126
star
8

AttackingAndDefendingTheGCPMetadataAPI

This repo gives an overview of some GCP metadata API attack and defend patterns
78
star
9

Damn-Vulnerable-Redis-Container

An example of obtaining RCE via Redis and CSRF
HTML
74
star
10

XSSOauthPersistence

Maintaining account persistence via XSS and Oauth
JavaScript
69
star
11

whatsinmyredis

A CSRF demonstration of stealing local Redis data, and encrypting all Redis instances on a local network
CSS
53
star
12

inputProtectionShield

Eagle
42
star
13

CORS

JSON API's Are Automatically Protected Against CSRF, And Google Almost Took It Away.
34
star
14

CSRF-PoC-Genorator

This is a simple CSRF Proof of Concept generator that supports multiple form encodings and methods
HTML
28
star
15

mimikittenz4Linux

Steals cleartext passwords from webservices, by reading the memory of browsers
Python
27
star
16

santaHog

Scans packages in npm and pypi for secrets
Python
27
star
17

clientHashing

A demonstration of secure hashing done client side
JavaScript
22
star
18

bygonessl

A tool to discover bygonessl vulnerabilities using the facebook API
Python
19
star
19

logger

Simple javascript logging of fingerprint, IP address and user agent
JavaScript
17
star
20

SmartHealthCardViewer

Smart Health Card Viewer, view your California Smart Health Card Vaccination record
JavaScript
8
star
21

BitRush

An open source project for bitcoin mining on an FPGA
VHDL
7
star
22

domainAbandonedDetector

Detects abandoned domains referenced in HTML
Python
7
star
23

dxa4481.github.io

This is my resume, in HTML/CSS
Python
6
star
24

JayPi

Translating JTAGENUM to Python for the Raspberry Pi
Python
6
star
25

redirect_demo

HTML
6
star
26

gpsIoTTracker

This simple python module takes GPS locations of a moving object, and measured signal strengths of an IoT object and uses trilateration and the method of least squares to solve for the location of the object
Python
5
star
27

Veyebrations

We are creating a system that translates measured distances of physical objects into vibrations to assist the blind
Eagle
4
star
28

JohnWilliams

JavaScript
4
star
29

coolSVGXSS

simple demo of XSS in an SVG
HTML
4
star
30

security_reports

A simple template that can be used to deliver security reports either for bug bounties, internal reports, or consultancy work
HTML
4
star
31

penguin

A restful single page app tool sharing application
Python
3
star
32

VibrationAPI

An example of the HTML5 vibration API
HTML
2
star
33

Tutorials

Learning new things
JavaScript
2
star
34

dotGitFinder

JavaScript
2
star
35

HIVStats

This application makes HIV statistics very accessible
HTML
2
star
36

log_handler

The backend log handler for logger.io
JavaScript
2
star
37

SocialEngineeringPresentation

A simple presentation on social engineering
HTML
2
star
38

SoundMaker

This uses the open hardware provided by arduino to modify an arduino PCB into making a sound board
Eagle
1
star
39

fingerprint-page-count

Counts how many times a user has viewed a page based on his browser's fingerprint
JavaScript
1
star
40

blog

HTML
1
star
41

SeriousApiarist

Controlled builds, tests, static analysis, releases, and deploys with validation and 2FA and live streaming to your CI
Go
1
star
42

serverConfigs

The server configuration files for security.love and e-q.pw
1
star
43

serviceworkerCSRFLogout

HTML
1
star
44

insecureLamp

a very simple insecure web application designed to turn a lamp on and off
Python
1
star
45

FingerprintPressure

This simple demo shows given an image of a fingerprint, you can determine how hard the person was pushing down
Python
1
star
46

AccelerometerAPI

A brief demonstration showing browsers can access a device's accelerator data without promoting a user. This app shows the total acceleration vector magnitude
HTML
1
star
47

CORS-pdf

This is a simple demo that shows you can host a PDF cross origin in chrome, and track a user's interaction with the PDF with the default chrome PDF viewer.
HTML
1
star