thomaspatzke / demo-clientsidewebattacks Goto Github PK
View Code? Open in Web Editor NEWDemonstration of some client-side web application vulnerabilities (DOM XSS, Clickjacking) and wrong usage of local storage.
Demonstration of some client-side web application vulnerabilities (DOM XSS, Clickjacking) and wrong usage of local storage.
Clientside Vulnerabilities Demo App =================================== This little project contains a vulnerable application (NeverNote) and attacks against it for demonstration purposes. I use it to demonstrate some clientside web application attacks, particullary: - DOM-based XSS - Peristence of JavaScript-based malware in code cached in the LocalStorage - Clickjacking Usage ----- Put the files on a web server or start lighttpd with the provided configuration file (adapt web root!) from the root directory of this project. I use this command line: lighttpd -f lighttpd.conf -D With the provided files the following demonstration apps/pages can be used: - http://localhost:8000/nevernote/v1/nevernote.html: Vulnerable version of demo app * Note viewer is vulnerable against DOM-based XSS, e.g. add the following payload: <img src=x onerror=alert(document.domain)> * Has fast-add feature by URL fragment: http://...#<title>###<content> Do you see a random token? ;-) * Click on app-banner in bottom right corner to access some debug functionality. - http://localhost:8000/nevernote/v2/nevernote.html: Not vulnerable against DOM-based XSS. But infection previously done in v1 is still present until cache is cleaned. - http://localhost:8000/attacker/attack.html: Add DOMXSS payload by fast-note - http://localhost:8000/attacker/infect.html: Add note with XSS payload that "infects" apps locally cached JS - http://localhost:8000/attacker/infect.js: Infect payload used by infect.html - it adds some code to locally cached JS of nevernote.js which submits newly added notes to logger. - http://localhost:8000/attacker/logger.py: Logs value of parameter msg in log/<parameter apps>.log - http://localhost:8000/attacker/clickjacking.html: a clickjacking attack against the note app. The click point "X" is above the transparent frame at loading time but drops below on mouseover event. After five seconds a message appears that the user won. The click point is placed on the delete button of the first note. If the user clicks fast on it as instructed, many notes are deleted. Verify position of click point before live demos! It may be displaced on some resolutions/conditions. Demonstration ------------- This app shows: - (locally stored) DOM-based XSS. - Why browser local storages of users must be considered as compromised after a XSS vulnerability was present. And why it is a bad idea to cache JavaScript code manually in the local storage. - Why fixes must also consider the client side. - Clickjacking License ------- Copyright 2013 Thomas Skora <[email protected]> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.