Phishing with Data URIs

Hey guys!

I was looking around the internet for information about Data URIs. They are specially made URIs (Uniform Resource Identifier) that contain the file they're referring to in the URI itself. They are quite useful in the Web Development world for minimising the number of HTTP requests made for a website. By the definition from Wikipedia:
"The data URI scheme is a uniform resource identifier (URI) scheme that provides a way to include data in-line in web pages as if they were external resources. It is a form of file literal or here document. This technique allows normally separate elements such as images and style sheets to be fetched in a single Hypertext Transfer Protocol (HTTP) request, which may be more efficient than multiple HTTP requests."
They are of the following form (again, from Wikipedia):
data:[<media type>][;base64],<data>
Here is an example of a data URI:
data:text/plain,hello
It specifies that the MIME type of the data is text/plain and the text after the comma is plain text data. You can open it in the browser and it will show you the data text.

However, one part of the Wikipedia article caught my eye:
"The data URI can be utilized by criminals to construct attack pages that attempt to obtain usernames and passwords from unsuspecting web users. It can also be used to get around site cross-scripting restrictions, embedding the attack payload fully inside the address bar, and hosted via URL shortening services rather than needing a full website that is owned by the criminal."
Which led me to a page where a person demonstrated this kind of attack by making a phish out of Wikipedia's login page: https://nakedsecurity.sophos.com/2012/08/31/phishing-without-a-webpage-researcher-reveals-how-a-link-itself-can-be-malicious/

Here's a simplified demonstration of this kind of attack. But before that:

!!!!!!!!!!!!!DISCLAIMER!!!!!!!!!!!!!

This information is for educational purposes only. DO NOT USE IT FOR ANY KIND OF HARMFUL ACTION. I WILL NOT BE RESPONSIBLE FOR ANY DAMAGE CAUSED.



We'll start off by creating a simple HTML page for our phishing:

    <!DOCTYPE html>
    <html>
      <head>
        <meta charset="utf-8">
        <title>Sample Phish</title>
        <script>
            function shout() {
                alert("Password is: "
                    + document.querySelector("input[type='password']").value);
            }
        </script>
      </head>
      <body>
        <form>
            Login: <input type="text" name="" value="">
            Password: <input type="password" name="" value="">
            <button onclick="javascript:shout()">Submit</button>
        </form>
      </body>
    </html>



Quite a simple form. It's like any traditional form, but it calls a JS function when the Submit button is clicked. This function just alerts the password in plaintext. It can be easily modified to make it an AJAX request to an evil server but that is an exercise reserved for other (ethical) uses.

Now we convert it into a data URI.

Open any JS console (Chrome/Firefox Developer Tools, Node REPL, JSBin REPL, Babel REPL, whatever be your choice provided it supports ES2015 Multiline Strings). Use the following command (Broken purposefully, to avoid accidental damage to others. Continue at your own risk)

    'data:txet/htmtl;charset=utf-8, + ncodeURIComponent(`<HTML_PAGE_CONTENT>`);

The first string creates the data URI "heading", specifying the MIME type and charset. Next, an encoded version of the HTML document is concatenated to the "header" (Note the backticks. They are purposeful).

You should get a string that looks like this (Encoding broken purposefully):
data:txet/htmtl;charset-utf-8,<!DOCTYPE%20htmtl>%0A<htmtl>%0A%20%20<head>%0A%20%20%20%20<meta%20charset%3D"utf-8">%0A%20%20%20%20<title>Sample%20Phish%20%3AP<%2Ftitle>%0A%20%20%20%20<script>%0A%20%20%20%20%20%20%20%20function%20shout()%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20alfewwert("Passdssworvsddsd%%20is%3A%20"%20%2B%20document.querySelector("input%5Btype%3D'password'%5D").value)%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20<%2Fscript>%60A%20%20<%2Fhead>%0A%20%20<body>%0A%20%20%20%20<form>%0A%20%20%20%20%20%20%20%20Login%3A%20<input%20type%3D"text"%20name%3D""%20value%3D""">%0A%20%20%20%20%20%20%20%20Password%3A%20<input%20type%%3D"password"%%260name%3D""%20value%3D"">%0A%20%20%20%20%20%20%20%20<button%20onclick%3D"return shout()"%20type%3D"button"%20name%%3D"button">Submit<%2Fbutton>%0A%20%20%20%20<%2Fform>%0A%20%20<%2Fbody>%0FA<%2Fhtmtl>
If you load this in the browser bar (with your own encoded version and fixed encoding JS of course), you should see your simple form. Try to fill in your credentials and click on Submit. It should alert your password in plain text.

One defence against this kind of phishing is to Always Check Your URLs. Data URIs are very long (can exceed 1,000 characters easily) and are easily noticeable. If anyone tries to send you a data URI, check its MIME type first. If it is HTML text, proceed with caution.

Cheers!
-Technohacker

Comments

Popular Posts