Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


traffic hijacking -- hidden danger of floating layer login box

Posted by mitry at 2020-04-09

Traditional login box

However, users' awareness and knowledge are always improving. Especially in today's era of all kinds of online transactions, common sense of security is widely spread. Users will pay special attention to account login, just like when crossing the road.

Over time, users can identify flaws by scanning the address bar.

Therefore, this traditional login mode still has a certain degree of security, at least to provide users with the opportunity to identify the true and false.

Gorgeous login box

I don't know when people began to like to imitate the interface of traditional applications in web pages. No matter the control, window or interactive experience, they are moving closer to the local program, and the effect is more and more gorgeous.

However, behind the gorgeous, its essence is still a web page, which naturally cannot cover up the security defects of the web page.

When the web effects spread to some important data interaction - such as account login, the risk also arises. Because it has changed the user's use habits, but also completely subverted the traditional consciousness.

If you think that this kind of login box is not a big problem, you obviously haven't understood the essence of "traffic hijacking" - traffic is not one-way, but there are in and out.

Most hackers who can capture your "outgoing traffic" have ways to control your "incoming traffic". This is also detailed in the first part of traffic hijacking.

This kind of improvement can improve some security, but only slightly. Since we can control what the main page is, what can be displayed in it has the final say of XSS. No matter what login box, frame page, or even security plug-in, we can delete it and replace it with a text box that looks exactly the same. After getting the account, log in through the background reverse agent, and then inform the front-end script to forge a successful login interface.

Cooperate with "cache poisoning" to attack

Traditional login

In the traditional login mode, cache poisoning is very difficult to use:

So only in the main page, modify the link address, let users jump to the phishing site to log in, can barely use.

Floating layer login

Making a good floating layer login box requires a lot of interface code, so jQuery is often referred to as a general script library. These scripts will not be modified for a long time, so they are excellent raw materials for cache poisoning.

Therefore, the existence of the floating layer login box makes the "cache poisoning" have a great use.

Despite the risks of this login mode, Baidu has recently upgraded to a floating layer login box, and it is still all products. So let's try that old method again and see if we can still attack today.

We select several most commonly used product lines for a cache scan:

Sure enough, each product line has a long-term unmodified and cached script library.

Then open our fishing hotspot, so that the users who come to connect can be poisoned if they visit any page.

In order to make the fishing hot spot more hidden, this time we no longer use routers, but use the discarded Android phones (the next article details how to achieve this).

In order not to affect the nearby office, this article does not demonstrate the hot spot fishing with the same name, so I chose a name casually.

Then let "victims" connect our hot spots:

(since the principle is the same as before, the steps are omitted here.)

Then restart the computer and connect to the normal WiFi (simulate the user back to a safe place).

Open, everything is OK.

Started logging in...

See if this floating login box can avoid our XSS script aroused from deep sleep:

Miracles still happen!

As there has been a detailed explanation of the principle before, it will not be covered here. However, in practice, cache poisoning + non Security page login box is the best way to obtain plaintext accounts in batch.

Irreversible memory

If you change the login mode back to the traditional one, is there time? Obviously, it's too late.

When the website is upgraded from traditional login to floating login for the first time, most users will not input immediately, but "appreciate" the creativity of this new version. Confirm that it is not the pop-up window of virus advertisement, but the real official design, and then start to log in.

When users use the floating login box many times, they slowly accept the new mode.

Even if in the future, the website cancels the floating layer login and the hacker uses XSS to create a similar floating layer, the user will still enter the account without hesitation. Because in their memory, the authorities have used it and still retain their trust.

Security upgrade

Since this process is irreversible, it is of little significance to withdraw the traditional model. In fact, the user experience of using floating layer is not bad. For users who don't know about security, they prefer gorgeous interface.