NOVEMBER 3, 2008

Fighting JavaScript with JavaScript

In response to my previous blog post regarding a new clickjacking technique using link object href target replacement hooked to some of the link object's mouse events, I got a lot of questions asking how this target URL swap technique could be detected short of analyzing all the JavaScript on the page looking for this type of malicious code. Automated detection through code analysis is a fairly difficult problem for a number of reasons, so I began thinking about this problem from the approach of detecting the result of the malicious code rather than the code itself. Using that approach I wondered if you could fire potentially unknown event handlers, whatever they may be, without actually causing the event to happen. Turns out you can:

 

    
      
   

   
      
   










What this bit of HTML and JavaScript does is load a target page into a frame, waits 10 seconds, and then calls the function swapdetect(). I used frames to approach interacting with the page as if it were in a pseudo-sandbox, however you could easily modify the above JavaScript to operate within the current window rather than target a frame or other window, just be sure to call swapdetect() after the page has finished loading and any other handlers for the page's 'onload' events have been called.

The function swapdetect() first creates a backup copy of the page's links array's href targets for later comparison. It then creates event objects for the 'mousedown' and 'click' events, and uses those artificial events to dispatch the event handlers using the dispatchEvent() function (use fireEvent() on IE) for them (if any) on each link object found in the page's links array. Due to this approach, only the event handlers are called; the actual event doesn't take effect. This will cause the link swapping code in my previous blog post to do it's thing, which we can then detect. The links array is then compared against the backup copy with the original targets to determine if any of the links' targets have changed, and create alert dialogs if so. If you were so inclined, the same technique used in the link swapping code could be used in place of the alerts to restore the original link's href target value.

Posted by Brent Cook
0 comments
Tags:
Post a Comment
  7. Leave this field empty

Required Field

Videos

More >


Interact





 LinkedIn

YouTube

Newsletter


Subscribe to BreakingPoint Labs blog by email:

Type in your email, hit submit and quickly verify your address.