Security researcher Dylan Ayrey detailed last week a new web-based attack named XSSJacking that combines three other techniques — Clickjacking, Pastejacking, and Self-XSS — to steal data from careless users.
Ayrey says XSSJacking can help attackers reach sensitive information for which they would normally need a more complex security flaw, such as a stored XSS (Cross-Site Scripting) or CSRF (Cross-Site Request Forgery), issues which most websites tend to fix when reported.
The attack is not fully-automated, as it still relies on social engineering, a reason why many of today’s security bug bounty programs won’t even consider it as a security flaw, Ayrey told Bleeping Computer in an email.
Some conditions must be met fo XSSJacking attacks
For an XSSJacking attack to take place, some conditions must be met, but in hindsight, all attacks, even CSRF and SQL injections, all need one or more special conditions.
For example, in the case of XSSJacking, the target website must be vulnerable to clickjacking.
Clickjacking is a technique that fools users into taking actions they didn’t intend. For example, an attacker can place various buttons on a malicious website. On top of these buttons, he loads a portion of a legitimate website inside an iframe, and sets its opacity to 0.
When the user goes to click the button, he’s actually clicking inside the hidden iframe. Speaking to Bleeping Computer, Ayrey says that if a user is logged into that website, he can take unwanted actions.
“Imagine the good-guy website had a ‘Delete account’ button, and imagine the evil website put a ‘Click here for a prize’ button directly under the iframed [and] now invisible ‘Delete account’ button,” Ayrey said.
XSSJacking chains together three attack techniques
Here is where the second technique comes in, called Self-XSS, which is a type of XSS that typically can only be triggered by a user typing in an XSS payload which triggers on themselves. This can be DOM based, or set in a field only settable and viewable by the one user.
For example, if the attacker aligns his iframe, so the user interacts with a form field on the legitimate website, the user can insert text into that field without even knowing.
But how do you make a user copy-paste malicious text? Easy! By automating the copy action and only waiting for the user’s paste command.
XSSJacking attacks rely on good social engineering
So let’s start with an attack from the beginning. You’re a malicious hacker and you set up a forum. In the forum registration page, you place an “Enter your email” field and a “Retype your email” field.
Secretly, you place a hidden iframe on top of the “Retype your email” field, where you load a form field from a Good Website’s settings page.
When a user wants to register on your site, he’ll write his email address, and just like most people, copy-paste it in the second field. Unknown to him, the malicious website has appended malicious code after his copy-paste text and inserted it into his Good Website settings page.
If the Good Website is vulnerable to XSS flaws via its form fields, the attack code can perform malicious actions, and the victim won’t even have any idea when and how someone exploited his account, let alone suspect it was himself.
XSSJacking attacks can dump cookies, steal user data
Via XSSJacking attacks, a malicious actor can steal cookies, inbox messages, change profile settings (phone numbers, emails, etc.), steal profile details, or perform other malicious actions, Ayrey told Bleeping Computer.
“XSSJacking was a way to chain the two issues together in such a way that got unsuspecting logged in users to XSS themselves,” Ayrey said.
“This is not the first time folks have come up with creative ways to exploit Self-XSS,” the researcher added, pointing us to similar research [1, 2].
“As people come up with more creative ways to take advantage of Self-XSS, I think companies will become more motivated to fix it when it gets reported,” the researcher also noted, referring to the fact that many companies mostly ignore XSS-related bug reports.