because it's an easy way to infect thousands of users and collect their data
Posted by Christian Haschek on 29.05.13Wc0免费翻墙网
[UPDATE] Check out the new post where I scan the web for proxies that use this kind of manipulation: https://blog.haschek.at/2015-analyzing-443-free-proxiesWc0免费翻墙网
I recently stumbled across a presentation of Chema Alonso from the Defcon 20 Conference where he was talking about how he created a Javascript botnet from scratch and how he used it to find scammers and hackers.Wc0免费翻墙网
Everything is done via a stock SQUID proxy with small config changes.Wc0免费翻墙网
The idea is pretty simple:Wc0免费翻墙网
- [Server] Install Squid on a linux server
- [Payload] Modify the server so all transmitted javascript files will get one extra piece of code that does things like send all data entered in forms to your server
- [Cache] Set the caching time of the modified .js files as high as possible
What's the worst thing that could happen?
When someone can force you to load an infected .js file, they canWc0免费翻墙网
- Steal your login info of the sites you visit (from login forms or cookies)
- Steal your banking account info/credit card
- Force you to participate in DDoS attacks by telling you browser to load a website a few hundred times a second via iframe/script request
- basically see everything you're doing on the web (including reading mouse positions, etc.)
https
This technique also works with https if the site loads unsafe resources (eg. jquery from a http site). Most browsers will tell you that, some might even block the content but usually nobody gives attention to the "lock" symbol.Wc0免费翻墙网
To put it simple
- Safe:
- Unsafe:
In the presentation Chema said he posted the IP of the modified server on the web and after a few days there were over 5000 people using his proxy. Most people used it for bad things because everyone knows you're only anonymous in the web when you've got a proxy and it looks like many people don't think that the proxy could do something bad to them.Wc0免费翻墙网
I was wondering if it really is that simple so I took a VM running Debian and tried implementing the concept myselfWc0免费翻墙网
Make your own js infecting proxy
I assume that you have a squid proxy running and also you'll need a webserver like Apache using /var/www as web root directory (which is the default)Wc0免费翻墙网
Step 1: Create a payload
For the payload I'll use a simple script that takes all links of a webpage and rewrites the href (link) attribute to my site.Wc0免费翻墙网
/etc/squid/payload.jsWc0免费翻墙网
for(var i=0;i<document.getElementsByTagName('a').length;i++) document.getElementsByTagName('a')[i].href = "https://blog.haschek.at";
Step 2: Write the script that poisons all requested .js files
/etc/squid/poison.plWc0免费翻墙网
#
1/2 1 2 下一页 尾页
|
