Today, I saw an article "dangerous target" = "U blank" and "opener", which mentioned an old knowledge point, that is, when target "=" U blank ", the newly opened page can control the URL of the source page through window.opener to carry out phishing attacks. This attack technique I also said in the blog "magic opener object", and I will not repeat it here. This article throws another target related phishing attack.
0x01 effect demonstration
Let's start with a small example:
http://675ba661.w1n.pw/41593a
See the figure above, open the above link, and then click "click me" to open Baidu. At this time, it's really Baidu to check the address bar, and then we wait for 10 seconds to check the address bar again, which has become the attacker's web address; even if we visit Taobao and other pages at this time, as long as we are still under this tab, the address bar will still be charged.
0x02 principle description
The code for the above page is also simple:
If the user clicks the hyperlink "click me", a cycle timer will be started here. Every 10 seconds, the hyperlink address will be replaced with a phishing website imitating Baidu, and click again. (of course, if it's a real attack, it's better to be an anti generation server of real target, which is also detailed in my other article "how to play openresty + Lua in reverse proxy service")
Here, the target attribute of the hyperlink specifies the page where the target URL is opened, which is the window.name of the target page. If the a tag's href changes, click the link again, and the page will still open under the same tab, so the last opened page will be overwritten.
For example, we are a malicious website of "website navigation" type. Users open Baidu, Taobao and other tag pages on our website. We can generate fishing pages according to the hyperlinks opened by users, forge the login pages of these websites, and fish accurately. I'm not going to do a demonstration here.
0x03 extension attempt
In addition to hyperlinks, the same effect can be achieved with window.open:
However, window.open is often blocked by relevant functions of advertisement interception, so it may not be as effective as using hyperlink directly.
So, continue to study in depth. Is this phenomenon related to window. Name? Is it possible to control the URL of a page when we know its name?
We can do an experiment. Write page a (http://a.675ba661.w1n.pw/a ᦉ vicim):
Write page B (http://b.675ba661.w1n.pw/b_attacker):
Page a is the target website, where the name is Baidu; page B is the attacker's page, where the target = "Baidu" is set.
target="baidu"
Obviously, after clicking "click me" in B, we will open a new page instead of modifying the URL of page a. This experiment shows that the remote control of URL is not directly related to window.name, but to the parent-child relationship of the page.
0x04 summary
The attack described in this paper is similar to the attack of opener, which is to control the URL of the target tag page and then carry out the phishing attack without cross domain.
But I think this attack is more persistent, because even if users enter their own domain name in the new tag, or click through the hyperlink to other websites, the address bar of this page is always controlled by the source page. Theoretically, the address bar of the new page can be permanently controlled without closing the source page.