Browser POC's to test

[CloneRanger]

Quote:

Yes, you can have fun with downloads

It is an important and little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs; in more limited circumstances, even individual frames can be targeted.

http://lcamtuf.blogspot.ro/2012/05/y...downloads.html

Quote:

The old seamless switcharoo

This is hardly new, but illustrates the effectiveness of using data: or precached content to do the deed. Should work neatly in up-to-date browsers. You're probably fooling yourself if you think you'd reliably spot this happening to you in the wild.

http://lcamtuf.coredump.cx/switch

Quote:

All the top three browsers are currently vulnerable to this attack; some provide weak cues about the origin of the download, but in all cases, the prompt is attached to the wrong window - and the indicators seem completely inadequate.

You can check out the demo here:

http://lcamtuf.coredump.cx/fldl

They either didn't work, or didn't fool me. Try 'em & see how you fare

BTW - Tested on FFv3.6.14 with & without JavaScripting etc

[Hungry Man]

Obviously it didn't fool you, you tested yourself. It's like saying "I'm a chair... haha I don't believe that for a second."

Real world if someone on Wilders linked to "an important flash update" that was really a virus I'm fairly certain a large portion of this site would get infected.

[Tomwa]

Link 1 did absolutely nothing, TorBrowser blocked both popups, and noscript asked for me to follow a redirect to Adobe.com but as the the windows of maliciousness were unable to open it was pointless though I can see the issue presented.

Link 2 was interesting in the fact that TorBrowser (My web browser) as Access to Memory and Disk cache is forbidden. This would be easily exploited in normal Firefox. I use TorBrowser for all my browsing but I have Waterfox limited to access only a specific list of Grooveshark/Youtube IPs (all other traffic is blocked and HTTP/S is blocked system wide and exceptions are made as necessary). This if anything should prove that cache access (As it is) is flawed and needs to be secured by ensuring only the site which cached the data may access it.

Link 3 is this the same as number one? Same thing happened:

1. Click button
2. Asked to redirect to adobe.com
3. Redirect
4. Adobe.com opens in new tab and becomes the focus
5. 2 Popups blocked on initial page.

I must say this was fun though.

[treehouse786]

3rd link- easily spotted from the firefox 13 'from' section in the download window, but yes most people would fall for this

could someone please explain what the second link is doing/showing?

[Hungry Man]

The second link starts out as the legit webpage with the URL showing that website. It then changes after a few seconds. From the source:

Quote:

If you don't get it, banking.beaver-peak.us is a trusted banking website;
everything else is attacker-controlled. We begin by opening the legitimate
banking website, and giving the user enough time to examine the address bar.

There is a common misconception that changing the URL must result in a visible
page transition that alerts the user to foul play, but that's not the case.

PS. In older versions of Firefox, where the http:// prefix is not hidden,
this will look a bit less convincing due to the misalignment of URLs. Easy to
fix, but upgrade your browser already.

PPS. Bonus question: can you do something useful by flipping two pages
very rapidly, especially with history.*? What are the implications for
clickjacking & friends?

[treehouse786]

Quote:

Originally Posted by Hungry Man

The second link starts out as the legit webpage with the URL showing that website. It then changes after a few seconds. From the source:

ok thanks

[Noob]

Nothing happened in the second link for me.

[fax]

You should see this address in the address bar, right?
banking.beaver-peak.us

In my case I see something else:
banking.coredump.cx/us/

Is the POC working then?