Avast WEBforum

Other => General Topics => Topic started by: polonus on February 02, 2009, 04:34:03 PM

Title: Javascript design flaws...
Post by: polonus on February 02, 2009, 04:34:03 PM

Hi malware fighters,

Many have heard about JS exploits like clickjacking, but there are other  JavaScript design flaws, as the following example shows.... First of all the user clicks on a button/link. Then a new tab/window opens which loads the content of hxxp://www.google.com. Five seconds later, the newly created tab is preloaded with the content of hxxp://www.gnucitizen.org. Disturbing here is the break in trust relationship between the user and google.com... and there are various other ways to play out this simple magic... as gnucitizen found.

Code: [Select]

<html>
  <body>
    <script>
      function clickme() {
        var w = window.open('hxxp://www.google.com');
        setTimeout(function () {
          w.location = 'hxxp://www.gnucitizen.org';
        }, 5000);
      }
    </script>
    <input type="button" value="click me" onclick="clickme(this)"/>
  </body>
</html>
Just another reason to have NoScript and RequestPolicy inside the Fx browser,

polonus