Inspired by the paper "The Postman Always Rings Twice" by Sooel Son and Vitaly Shmatikov (https://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf) I researched how many of the dedicated mobile sites of the Alexa Top 10.000 have vulnerable postMessage receivers. This was part of a talk I gave at my uni, the Ruhr University Bochum.
23. Mobile Detector
• for site in alexa_top_10000:
• desktop_url = request(site, user_agent=desktop)
14
24. Mobile Detector
• for site in alexa_top_10000:
• desktop_url = request(site, user_agent=desktop)
• mobile_url = request(site, user_agent=mobile)
14
25. Mobile Detector
• for site in alexa_top_10000:
• desktop_url = request(site, user_agent=desktop)
• mobile_url = request(site, user_agent=mobile)
14
26. Mobile Detector
• for site in alexa_top_10000:
• desktop_url = request(site, user_agent=desktop)
• mobile_url = request(site, user_agent=mobile)
• if desktop_url != mobile_url:
14
27. Mobile Detector
• for site in alexa_top_10000:
• desktop_url = request(site, user_agent=desktop)
• mobile_url = request(site, user_agent=mobile)
• if desktop_url != mobile_url:
• has_mobile_version = True
14
31. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
15
32. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
• After manual cleanup: ~2170 mobile sites remaining
15
33. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
• After manual cleanup: ~2170 mobile sites remaining
• Most common:
15
34. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
• After manual cleanup: ~2170 mobile sites remaining
• Most common:
• m.domain
15
35. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
• After manual cleanup: ~2170 mobile sites remaining
• Most common:
• m.domain
• domain/m
15
36. Mobile Detector
• ~ 2500 dedicated mobile sites
• Many false positives
• http://site.tld/?session=123 vs. http://site.tld/?session=456
• After manual cleanup: ~2170 mobile sites remaining
• Most common:
• m.domain
• domain/m
• domain/mobile
15
40. Data Collector
page.settings.userAgent = 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) …
page.onInitialized = function() {
page.evaluate(function() {
});
};
17
41. Data Collector
page.settings.userAgent = 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) …
page.onInitialized = function() {
page.evaluate(function() {
});
};
page.open(args[1], function(status) {
phantom.exit();
});
17
42. Data Collector
page.settings.userAgent = 'Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) …
page.onInitialized = function() {
page.evaluate(function() {
});
};
(function(oldEventListener) {
var logReceiver = function(location, name, code) {
/*
Logs the location, receiver name and receiver code to our web api
*/
xmlhttp = new XMLHttpRequest();
xmlhttp.open('POST', 'https://collector.herokuapp.com/receivers/', true);
var params = 'url=' + encodeURIComponent(location) +
'&receiver_name=' + encodeURIComponent(name) +
’&receiver_code=' + encodeURIComponent(code);
xmlhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlhttp.setRequestHeader('Content-Length', params.length);
xmlhttp.setRequestHeader('Connection', 'close');
xmlhttp.send(params);
};
// Overwrite the window.addEventListener function
window.addEventListener = function(type, listener, useCapture) {
if(/message/i.test(type)) { // If event is of type message
logReceiver(document.location, listener.name || '-', listener.toString());
}
}
})(window.addEventListener);
page.open(args[1], function(status) {
phantom.exit();
});
17
71. function (e) {
/*
Our messages are always exchanged using a string protocol,
If the data is not a string, we should skip the parsing
*/
if (typeof e.data !== 'string') return;
var message = e.data.split(',')[0]
var value = e.data.split(',')[1]
if ( message === "close" ) {
esc(value, true)
}
if ( message === "redirect" ) {
yiel.yieldify_will_redirect = true
form_refill_capture();
value = e.data.substring(e.data.indexOf(",")+1)
window.location.href = value
}
if ( message === "direct_show" ) {
yiel.fn.deleteYieldifyCookie("after_submit")
yiel_visible("campaign",value, true);
}
if ( message === "form" ) {
var s = value.split(';')[1]
s = decodeURIComponent(s)
var data = {}
var sp= s.split('&')
var key,aa;
var i;
for(i=0;i<sp.length;i++){
key = sp[i]
aa=key.split('=')
data[aa[0]] = aa[1]
}
if(value.split(';').length == 2){
yiel_post_to_url(value.split(';')[0], data, "")
}else{
yiel_post_to_url(value.split(';')[0], data, value.split(';')[2])
}
esc(value)
}
if ( message === "sales" ) {
//If click a link and the id for this campaign was asked to track sales then add
//a cookie by id for this campaign
//The value is the id
var track_sales = yiel.overlays_y[value].track_sales
if(yiel.website.track_sale!=null && yiel.website.track_sale!="" && track_sales!=null
var saleCookie = yiel.fn.getYieldifyCookie("sale")
/*if (saleCookie!=null && saleCookie!=""){
value = saleCookie + "," + value
}*/
…
34
74. /*
Our messages are always exchanged using a string protocol,
If the data is not a string, we should skip the parsing
*/
if (typeof e.data !== 'string') return;
37