There is no Data, there is only XUL: Using XUL to spoof a web browser and next generation UIML phishing attacks
I started poking around with 'chrome://' this week which lead me to something I've been meaning to look at for awhile, but just lacked the time, mozilla's XUL technology. XUL is a User Interface Markup Language and has been around for awhile and is supported in mozilla based browsers by default. XUL allows you to create User Interfaces with XML allowing for richer client side applications. While XUL is typically not associated with the 'Web 2.0' buzz, it does provide a rich interface on the client side and is a fairly interesting technology.
A few disclaimers:
- The code is sloppy as hell. If you don't like it, tough I'm lazy and will clean it up whenever I get around to it
- This is a POC. This is not a fully featured browser you can use for phishing.
- The menu's are not linked, the buttons don't work. Only the urlbar, google bar, and body are working in this version
- This is not supposed to be a fully functional phishing browser so please don't email me with 'well it doesn't do X'. I'm aware and would rather not publish phishing features, merely demonstrate. This demo uses an iframe which disallows viewing data from other domains. This is an intentional decision.
- This has only been tested on Windows XP with firefox2 (default).
- This is not a vulnerability in firefox.
- I wouldn't be surprised if another has come up with this idea. People in the same space often come up with the same ideas. If you know of a link to something like this let me know and I'll link it.
How do I protect myself?
- Disable popup windows
A couple of hints on bypassing the domain restrictions of iframes:
- Web Application proxies, and dynamic link rewriting.
User Interface Markup Languages are going to be a special treat for the phishing world as additional functionality is enabled in browsers, and I suspect this trend is only going to grow. Stay tuned! :)
- My friend Chris found a link on mozilla speaking about these sorts of issues. While I honestly hadn't seen this beforehand I will properly reference it. As I said above I wouldn't be surprised if someone had spoken about this beforehand. I know I hadn't read anything :)