« Javascript is everywhere | Main | JavaScript bug hunting tool demonstrated, and ethical release of POC code »

There is no Data, there is only XUL: Using XUL to spoof a web browser and next generation UIML phishing attacks

The following outlines how to utilize XUL applications to 'spoof' an entire firefox/mozilla window. This allows one to phish people across all domains simply by visiting any webpage where popups and JavaScript is allowed to execute. This is merely a demonstration on how to fool people with UIML's.

I started poking around with 'chrome://' this week which lead me to something I've been meaning to look at for awhile, but just lacked the time, mozilla's XUL technology. XUL is a User Interface Markup Language and has been around for awhile and is supported in mozilla based browsers by default. XUL allows you to create User Interfaces with XML allowing for richer client side applications. While XUL is typically not associated with the 'Web 2.0' buzz, it does provide a rich interface on the client side and is a fairly interesting technology.

So for starters, I am not a XUL programmer, I am not a XUL expert, I am merely a tinkerer. Being the tinkerer that I am I was looking at chrome calls and came across 'chrome://browser/content/browser.xul' which is essentially a copy of your firefox browser GUI. I tracked down the file locally and was curious if I could use this technology to create a fake window overlay in order to sniff all traffic and phish people. After a few hours of tinkering with XUL and JavaScript I discovered yes, you can fool people into using a xul based app.

A few disclaimers:
- The code is sloppy as hell. If you don't like it, tough I'm lazy and will clean it up whenever I get around to it
- This is a POC. This is not a fully featured browser you can use for phishing.
- The menu's are not linked, the buttons don't work. Only the urlbar, google bar, and body are working in this version
- This is not supposed to be a fully functional phishing browser so please don't email me with 'well it doesn't do X'. I'm   aware and would rather not publish phishing features, merely demonstrate. This demo uses an iframe which disallows   viewing data from other domains. This is an intentional decision.
- This has only been tested on Windows XP with firefox2 (default).
- This is not a vulnerability in firefox.
- I wouldn't be surprised if another has come up with this idea. People in the same space often come up with the same ideas. If you know of a link to something like this let me know and I'll link it.

How do I protect myself?
- Disable popup windows
- Disable JavaScript

A couple of hints on bypassing the domain restrictions of iframes:
- Web Application proxies, and dynamic link rewriting.
- http://ha.ckers.org/blog/20061013/server-environmental-variables-in-javascript-space/

User Interface Markup Languages are going to be a special treat for the phishing world as additional functionality is enabled in browsers, and I suspect this trend is only going to grow. Stay tuned! :)

- My friend Chris found a link on mozilla speaking about these sorts of issues. While I honestly hadn't seen this beforehand I will properly reference it. As I said above I wouldn't be surprised if someone had spoken about this beforehand. I know I hadn't read anything :)

Demo: http://www.cgisecurity.com/xul-browser-overlay.html


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!