MouseOverJacking attacks
20:06 29.12.2009This is English version of my MouseOverJacking attacks article.
Last year I made an announcement of MouseOverJacking - at 12.12.2008 in WASC Mailing List, and at 17.12.2008 at my site. But only now I found time to write an article about it.
MouseOverJacking - it’s a new kind of attacks on web browsers, developed by me in September 2008. These attacks can be used for using of different vulnerabilities in browsers or web sites, where pointing of mouse cursor at an object is needed. And so with help of MouseOverJacking technique it’s possible to intercept cursor’s move and to conduct an attack.
In article Clickjacking Details RSnake wrote about this attack vector. But I first gave example of this attack vector a month before (yet before first announcement of Clickjacking). Besides, he described very briefly this attack vector, which required separate article, which I did in my article.
The idea of MouseOverJacking attacks.
Main idea of this attack, on which I accented already in my announcement, that for conducting of this attack it’s needed only single move of mouse cursor. Only moving of cursor at one pixel in any direction (only one small move) - and it’ll trigger an attack.
If in ClickJacking a victim must to do a click, then in MouseOverJacking no click is required, only moving of cursor 
. So users of Internet must be careful not just with clicks, but even with moves of cursor.
The difference between common attack with using of onMouseOver event and MouseOverJacking attack in that, that in common attack it’s needed that a victim moves his cursor over required object (at a page), so the attack pass successfully. And in MouseOverJacking attack this process is going automatically, because a victim only needs to make single move at one pixel (which will happened right away at visiting of a page). So MouseOverJacking is designed for automation of attacks with using of onMouseOver event (in IE also onMouseEnter can be used), to increase their effectiveness.
Possibilities of using of MouseOverJacking.
There are possible the next attacks via MouseOverJacking:
1. XSS attacks with using of onMouseOver event.
2. DoS attacks on browsers.
3. Other attacks at pointing of cursor.
For conduction of MouseOverJacking attacks it’s needed to ensnare victim at the page with code of exploit (which can be made with using of CSS or JavaScript).
XSS attacks with using of onMouseOver event.
It’s possible to intercept onMouseOver events in Cross-Site Scripting vulnerabilities, when other vectors of XSS attacks are impossible at the site. For example, in case of filtration at the server or using of WAF.
For this in some cases it’s possible to use CSS. Or for this it’s possible to use invisible iframe, which is placed under user’s cursor (similarly to method of ClickJacking attacks). For this attack it’s needed to use JavaScript.
DoS attacks on browsers.
It’s possible to conduct DoS attacks on browsers, as I showed it on example of DoS vulnerability in Google Chrome in September 2008 during of conducting of Day of bugs in Google Chrome project. I called this attack DoS via MouseOver.
Attack is possible at presence of appropriate DoS vulnerability in browser. For this attack it’s possible to use either JavaScript, or CSS, as in case of my exploit for Chrome.
Other attacks at pointing of cursor.
There are also possible other attacks, where it’s possible to use MouseOverJacking. E.g., CSRF attacks, if some event takes place at pointing of mouse cursor at some object at the site.
Examples of MouseOverJacking attacks.
I already mentioned example of DoS attack via MouseOverJacking (on Chrome) with exploit which uses CSS. Here is main part of a code of exploit:
<a style="width:100%;height:100%;display:block" href="dos:%"></a>
In case of presence of persistent XSS vulnerability or uploader at the site (where other vectors of attack are impossible, except via events of html objects), it’s possible to place the next code:
<a href="#" style="width:100%;height:100%;display:block;position:absolute;top:0px;left:0px" onMouseOver="alert(document.cookie)"> </a>
Recently I wrote about XSS vulnerability in Invision Power Board found by Xacker. In his advisory he gave an example of XSS attack with using of onMouseOver for bypassing filters in IPB 3.0.4. In this case it’s just XSS attack via onMouseOver (which I refer to Strictly social XSS), when it’s needed to wait until admin will point cursor at a text, to execute a code. But if to use my MouseOverJacking technique, then effectiveness of the attack will rise, because a code will execute right away when user will visit a page.
Nice example of XSS attacks with using of onMouseOver is Cross-Site Scripting vulnerability in WordPress 2.8.1. The most interesting is that, that onMouseOver event is using for conducting of click (the idea itself is very interesting offered by superfreakaz0rz).
In given exploit for this vulnerability it’s needed to send request at the site and wait until admin will fall into a trap (i.e. it’s common XSS attack via onMouseOver). To speed up this process it’s possible to use MouseOverJacking attack (with invisible iframe or via CSS). And taking into account that after pointing of cursor a click will trigger, then this attack can be refer to kind of joint MouseOverJacking + ClickJacking attacks.
Protection from MouseOverJacking.
If JavaScript is using for MouseOverJacking attack, then for protection against these attacks it’s possible to turn off JavaScript in browser. Either manually in browser, or with help of proper plugins for browser.
If JavaScript isn’t using for MouseOverJacking attack, but CSS is using, then above-mentioned method will not help. But if MouseOverJacking is required for conducting of XSS attacks, then turning off JS will protect against XSS attacks (even if MouseOverJacking is realized via CSS). But it’ll not help against DoS attacks via MouseOverJacking.
In case of DoS attacks or any other attacks via MouseOverJacking with using of CSS, caution of user will help (it’s needed to visit reliable resources) and updating of browser to last version.
Середа, 22:50 30.12.2009
please write it again is impossible to understand your article. It looks like you written it in an ackward way to hide the fact that the attack is not interesting. Show step by step real examples or you are just pretneding to find something new. thanks.
Четвер, 14:11 31.12.2009
juanin
I wrote this article (translated from Ukrainian) as good as I can. So I am sorry, if it’s hard for you to understand this article. You can try to read my other articles (their English versions) in case if other ones will be better for you to understand.
I don’t think so. For me it’s interesting technique which can be used for different attacks (as I wrote). For this reason I wrote my article. But it’s your own decision if this attack technique is interesting for you.
In “Examples of MouseOverJacking attacks” part of the article I showed real examples. What is incomprehensible for you in those examples?
You need to save those examples to new html files at your computer and run to see the result. For example of DoS attack on Google Chrome you need old version (Chrome 0.2.149.27) to see the DoS (crash of the browser). For example of XSS attack you need any browser - it works in any current browsers (I tested in my five browsers).
Субота, 13:35 23.01.2010
These types / kinds of attacks are not new. I’ve been using them for perhaps over a year now and I call / name it: “XSS with EventHandlers” because that’s exactly what it is.
In cases where has only been “blocked” by f.ex. preg_replace (seen in many cases), is just one of my favorite working examples of getting an alert box still.
In many other cases, I was inside tags like search-fields that would be located on a site where it would be almost virtually impossible not to mouse-over and thereby I used the “onmouseover” eventhandler.
In case there’s “auto-focus” on this search-field that I am talking about, the eventhandler known as “onblur” can also be used.
To conclude it all: It’s just a matter of how you can apply your knowledge with the current features of the browser you’re using to exploit a website with Cross Site Scripting.
In HTML5 it’s possible to use more onerror-eventhandlers due to more tags supports them.
Best regards,
MaXe - Founder of InterN0T
Четвер, 23:42 04.02.2010
MaXe
Thanks for your feedback.
Don’t confuse it with general XSS attacks with event handlers, because it’s different things. I wrote about it in the article - look at the paragraph “The difference between common attack with using of onMouseOver event and MouseOverJacking attack”.
I’m using XSS via event hadlers for many years (first time I mentioned at my site about such XSS regarding holes at cenzic.com and picosearch.com), but MouseOverJacking is different type of attacks. MouseOverJacking is automated attacks, while XSS via event hadlers is not (in most cases). MouseOverJacking uses both XSS holes (via onMouseOver) and special ways to make attack fully automated - to make it comparable to attacks via styles.
As I mentioned, the idea is to make attack fully automated. And as I mentioned in this article and in comments to The future of XSS attacks article, for MouseOverJacking there are other attack vectors besides XSS (such as DoS, CSRF and others).
Thanks for mentioning, I’ll look at HTML5 specification (at new onerror-eventhandlers). But for now only some browsers support HTML5. So mouseover is only event which allows to make cross-browser and automated attacks with using of MouseOverJacking technique.