JavaScript Clipboard Access

Discussion in 'other security issues & news' started by aigle, Jan 30, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi aigle,

    Is this test for IE/Netscape only? It did not work in Opera with javascript enabled.

    ----
    rich
     
  3. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    I get this.......
     

    Attached Files:

  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not sure. In Opera, it seems OK even with JS enabled.
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    For a failed JavaScript Clipboard Test, Jason's Toolbox says...

    "To prevent a web site from reading your clipboard, take the following steps:

    Go to Tools->Internet Options.
    Click on the Security Tab.
    Click on "Custom Level."
    Scroll down to the Scripting section under Settings.
    Set "Allow paste operations via script" to Disable or Prompt.
    Press the OK buttons to close the dialog boxes."


    Trouble is, on IE7 there is no scripting setting that says, "Allow paste operations via script".

    I do see a setting to, "Allow Programmatic clipboard access", and it is disabled.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Seamonkey passes regardless of its JavaScript settings. Using IE6, the results depend on the security setting "allow paste operations via script". Mine is set to prompt and it works as it's supposed to. I'm not positive but I think this is only possible with Internet Explorer. Alternate browsers are not part of the OS and don't have access to the clipboard. There is a FireFox extension, allow clipboard helper that adds this functionality and uses a user defined whitelist of allowed sites.
    I don't see why HIPS should have this function. Internet Explorer will prompt when the security option is set. The other browsers don't appear to be vulnerable. Why duplicate the coverage?
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Remember a while back there was a similar POC that worked with all browsers. It was like hijacking your clipboard.
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    This is what i get on Win 7 with IE 8, default settings.
     

    Attached Files:

    • clip.jpg
      clip.jpg
      File size:
      72 KB
      Views:
      1,679
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I never got around to checking into that POC. I'd have to try it and see what it does and which browsers it affects. For the most part, code like that gets filtered out before it reaches my browsers. All of them are forced to connect thru Proxomitron. That's the only way I'll use Internet Explorer.

    IMO, it would be better for this to be addressed by the browser itself or by a web filtering app or plug-in like Proxomitron or NoScript. I'd rather not see this included in HIPS. On my setup, HIPS defends the attack surface (web apps, firewall, Proxomitron) and limits what those apps can do if they are successfully compromised, but does not handle potentially malicious content itself. If HIPS is also given the task of filtering web content, that would make it part of the attack surface. It creates a potential attack vector that reaches to the system kernel.
     
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    I failed the JavaScript Clipboard Test using IE7. Anyone know which browser setting can be changed to fix this? The one suggested by Jason (Set "Allow paste operations via script" to Disable or Prompt) is not present in IE7. https://www.wilderssecurity.com/showpost.php?p=1395980&postcount=5 Thank you :)

    Edit in: I question whether the failed notification from the test is accurate. It states, You're failed that JavaScript Clipboard Test. The JavaScript on the previous page was able to read the following data from your clipboard: "", showing the clipboard contents as blank (with no data between the quotations), yet I did have data on the clipboard. Does this seem right? It doesn't to me.
     
    Last edited: Feb 1, 2009
Loading...
Thread Status:
Not open for further replies.