"There is no Data, there is only XUL"
How this POC works
1. Fires up a new window with my copy of browser.xul modified (This file is sitting on attacker.com)
2. Utilizes the XUL skin to emulate what your browser looks like (nothing more!).
3. Hooks certain js events in XUL skin to perform actions
4. loads web pages into an iframe (in this version). This public POC will not allow frame hopping.
5. records urlbar, and googlebar and send them to the host of my choice
6. emulates googlebar and the urlbar. (See TODO)
- You must prefix all urls with http://
- Doesn't handle html FORMS (urlbar will vanish)
This POC is only trying to demonstrate that you can be fooled with XUL applications. Someone with more time than I can make this much more functional. Simply put, I don't want to help you be evil.
What this POC doesn't do
- Doesn't auto update the urlbar when you click a link. While I can't see the content of the stuff inside the frame, I can grab this value from the iframe location. Just been to lazy to make this pretty.
- This demo will not log what you do in the iframe/body. By default browser security zones prevent this, however I have discovered a way to do this, but frankly don't see the positive in publishing how to do this. Not to mention this particular method requires the use of an open proxy and I'm not going to open up one of those to the net. Sorry but I don't trust any of you :)
In order to use this demo:
- Use Windows XP (others probably work)
- Use Firefox 2 (update to date works
- Additional information can be found at http://www.cgisecurity.com/2007/03/thereisonlyxul.html
- Add http:// preparser/preappender
- Add better data passing to logger script
- Clean it up a bit
- Surpress error messages from copy/paste code
Note: This particular demo only works in firefox2.
Click the link below to start the overlay demo.