This is English version of my MouseOverJacking attacks article.
MouseOverJacking - it’s a new kind of attacks on web browsers, developed by me in September 2008. These attacks can be used for using of different vulnerabilities in browsers or web sites, where pointing of mouse cursor at an object is needed. And so with help of MouseOverJacking technique it’s possible to intercept cursor’s move and to conduct an attack.
In article Clickjacking Details RSnake wrote about this attack vector. But I first gave example of this attack vector a month before (yet before first announcement of Clickjacking). Besides, he described very briefly this attack vector, which required separate article, which I did in my article.
The idea of MouseOverJacking attacks.
Main idea of this attack, on which I accented already in my announcement, that for conducting of this attack it’s needed only single move of mouse cursor. Only moving of cursor at one pixel in any direction (only one small move) - and it’ll trigger an attack.
If in ClickJacking a victim must to do a click, then in MouseOverJacking no click is required, only moving of cursor . So users of Internet must be careful not just with clicks, but even with moves of cursor.
The difference between common attack with using of onMouseOver event and MouseOverJacking attack in that, that in common attack it’s needed that a victim moves his cursor over required object (at a page), so the attack pass successfully. And in MouseOverJacking attack this process is going automatically, because a victim only needs to make single move at one pixel (which will happened right away at visiting of a page). So MouseOverJacking is designed for automation of attacks with using of onMouseOver event (in IE also onMouseEnter can be used), to increase their effectiveness.
Possibilities of using of MouseOverJacking.
There are possible the next attacks via MouseOverJacking:
1. XSS attacks with using of onMouseOver event.
2. DoS attacks on browsers.
3. Other attacks at pointing of cursor.
XSS attacks with using of onMouseOver event.
It’s possible to intercept onMouseOver events in Cross-Site Scripting vulnerabilities, when other vectors of XSS attacks are impossible at the site. For example, in case of filtration at the server or using of WAF.
DoS attacks on browsers.
It’s possible to conduct DoS attacks on browsers, as I showed it on example of DoS vulnerability in Google Chrome in September 2008 during of conducting of Day of bugs in Google Chrome project. I called this attack DoS via MouseOver.
Other attacks at pointing of cursor.
There are also possible other attacks, where it’s possible to use MouseOverJacking. E.g., CSRF attacks, if some event takes place at pointing of mouse cursor at some object at the site.
Examples of MouseOverJacking attacks.
I already mentioned example of DoS attack via MouseOverJacking (on Chrome) with exploit which uses CSS. Here is main part of a code of exploit:
<a style="width:100%;height:100%;display:block" href="dos:%"></a>
In case of presence of persistent XSS vulnerability or uploader at the site (where other vectors of attack are impossible, except via events of html objects), it’s possible to place the next code:
<a href="#" style="width:100%;height:100%;display:block;position:absolute;top:0px;left:0px" onMouseOver="alert(document.cookie)"> </a>
Recently I wrote about XSS vulnerability in Invision Power Board found by Xacker. In his advisory he gave an example of XSS attack with using of onMouseOver for bypassing filters in IPB 3.0.4. In this case it’s just XSS attack via onMouseOver (which I refer to Strictly social XSS), when it’s needed to wait until admin will point cursor at a text, to execute a code. But if to use my MouseOverJacking technique, then effectiveness of the attack will rise, because a code will execute right away when user will visit a page.
Nice example of XSS attacks with using of onMouseOver is Cross-Site Scripting vulnerability in WordPress 2.8.1. The most interesting is that, that onMouseOver event is using for conducting of click (the idea itself is very interesting offered by superfreakaz0rz).
In given exploit for this vulnerability it’s needed to send request at the site and wait until admin will fall into a trap (i.e. it’s common XSS attack via onMouseOver). To speed up this process it’s possible to use MouseOverJacking attack (with invisible iframe or via CSS). And taking into account that after pointing of cursor a click will trigger, then this attack can be refer to kind of joint MouseOverJacking + ClickJacking attacks.
Protection from MouseOverJacking.
In case of DoS attacks or any other attacks via MouseOverJacking with using of CSS, caution of user will help (it’s needed to visit reliable resources) and updating of browser to last version.