New Attack “XSSJacking” Combines Clickjacking, Pastejacking, and Self-XSS

XSSJacking is a new web-based attack that combines three other techniques  — Clickjacking, Pastejacking, and Self-XSS — to steal data from users. XSSJacking can help attackers reach sensitive information for which they would normally need a more complex security flaw, such as a stored XSS (Cross-Site Scripting) or CSRF (Cross-Site Request Forgery), issues which most websites tend to fix when reported. The attack is not fully-automated, as it still relies on social engineering. For an XSSJacking attack to take place, some conditions must be met, but in hindsight, all attacks, even CSRF and SQL injections, all need one or more special conditions. For example, in the case of XSSJacking, the target website must be vulnerable to clickjacking. Clickjacking is a technique that fools users into taking actions they didn’t intend to. For example, an attacker can place various buttons on a malicious website. On top of these buttons, he loads a portion of a legitimate website inside an iframe, and sets its opacity to 0. When the user goes to click the button, he’s actually clicking inside the hidden iframe. If a user is logged into that website, he can take unwanted actions. “Imagine the good-guy website had a ‘Delete account’ button, and imagine the evil website put a ‘Click here for a prize’ button directly under the iframed [and] now invisible ‘Delete account’ button”. XSSJacking chains together three attack techniques Here is where the second technique comes in, called Self-XSS, which is a type of XSS that typically can only be triggered by a user typing in an XSS payload which triggers on themselves. This can be DOM based, or set in a field only settable and viewable by the one user. For example, if the attacker aligns his iframe, so the user interacts with a form field on the legitimate website, the user can insert text into that field without even knowing. But how do you make a user copy-paste malicious text? Easy! By automating the copy action and only waiting for the user’s paste command. This is where Pastejacking comes into play. Pastejacking attacks have existed for many years, and consist of secretly adding (malicious) text at the end of copy-pasted data. The attack has mainly relied on CSS, JavaScript. XSSJacking attacks rely on good social engineering So let’s start with an attack from the beginning. You’re a malicious hacker and you set up a forum. In the forum registration page, you place an “Enter your email” field and a “Retype your email” field. Secretly, you place a hidden iframe on top of the “Retype your email” field, where you load a form field from a Good Website’s settings page. When a user wants to register on your site, he’ll write his email address, and just like most people, copy-paste it in the second field. Unknown to him, the malicious website has appended malicious code after his copy-paste text and inserted it into his Good Website settings page. If the Good Website is vulnerable to XSS flaws via its form fields, the attack code can perform malicious actions, and the victim won’t even have an idea when and how someone exploited his account, let alone suspect it was himself. XSSJacking attacks can dump cookies & steal user data Via XSSJacking attacks, a malicious actor can steal cookies, inbox messages, change profile settings (phone numbers, emails, etc.), steal profile details, or perform other malicious actions. XSSJacking was a way to chain the two issues together in such a way that got unsuspecting logged in users to XSS themselves. As people come up with more creative ways to take advantage of Self-XSS, companies will become more motivated to fix it when it gets reported.

Research by Venkatesh Nimmu