Security Researcher Dylan Ayrey discovered new web based attack called XSSJacking which will combine the meaning of Clickjacking, Self-XSS and PasteJacking.
The malicious practice of manipulating a website user’s activity by concealing hyperlinks beneath legitimate clickable content, thereby causing the user to perform actions of which they are unaware.
Ex: Loading a secure login page inside iframe with which an attacker can steal your credentials.
Self-XSS is one of the popular Social Engineering Attack used by Attackers to trick users into paste the malicious code in browser. Results in attacker accessing to the whatever website you visit. Usually scammers use this attack for tricking users to buy products or get money through online survey .
Ex: If anyone says “Iphone only $10”, Don’t eager to click it.
The art of changing what you copy from web pages is known as PasteJacking. Nearly all browsers allow websites to run commands on the users’ computers. This feature can allow malicious websites to take over your computers’ clipboard.
Ex: Demo url is available here. The copied text is modified as echo “NullNews”.
This is an attack that can trigger Self-XSS if the page in question is also vulnerable to Clickjacking. A malicious actor can steal cookies, inbox messages, change profile settings (phone numbers, emails, etc.), to steal profile details, or perform other malicious actions.
XSSJacking was a way to chain the two issues together in such a way that got unsuspecting logged in users to XSS themselves
How to Prevent XSSJacking:
- One solution may be to verify the contents of your clipboard before pasting into a terminal, but be careful where you verify these commands. For example if you paste into vim, vim macros may be used to exploit you.