Folders and files Name Name Last commit message
Last commit date
parent directory
View all files
Browser Clipboard Attacks Browser Clipboard Attacks/Defense
Live example of a CSS clipboard attack
Can give the attacker remote code execution
Live example of a Javascript clipboard issue
Understand how invisible characters in your clipboard can invade your privacy
Learn how clipboard attack mitigations can be bypassed
Learn secure ways of interacting with our clipboard
Env Setup
docker run -it ubuntu bashapt-get update && apt-get install -y gitWill give you a safe terminal prompt
https://sts.tools/clipboard-attacks-css Paste in Version #1 and Version #2 into the terminal
What differences do you notice?
Phishing
Attacker puts link in <div>
Check out this new bitcoin exchange at https://exchange.example.comUser can’t click the link, so they copy/paste
Attacker places https://evil-exchange.example.com into the clipboard
Further obfuscation
Could remove itself from $HOME/.bash_history
How does the CSS Vector compare with the Javascript Vector?
Clipboard APIs: document.execCommand()
document.execCommand() Cross-Browser Clipboard Access
document . execCommand ( 'cut' ) ;
document . execCommand ( 'copy' ) ;
document . execCommand ( 'paste' ) ;
You can use the cut and copy commands without any special permission if
you are using them in a short-lived event handler for a user action (for
example, a click handler) - Mozilla
onclick within <body>
Much more invasive compared to CSS Vector
https://sts.tools/clipboard-attacks-js Ad networks that allow Javascript execution
On all bitcoin sites, copy malicious bitcoin address to clipboard
“How to Buy X Cryptocurrency” Article
Override clipboard to contain attacker controlled bitcoin address
Clipboard APIs: Clipboard Api
Experimental technology
Meant to give more granular permissions
Replacing execCommand
Additional Resources
Chrome Dev Fiddle
Future JS Clipboard Attacks?
Potential future attacks as clipboard apis advance
What if Javascript could easily copy an image to the clipboard?
Image Compression Bombs
To calculate how much memory an image will require to render, simply
multiply the pixel ratio by the bit-depth –– a 50Kx50K pixel, 8-bit (RGB)
image will require about 2.5GB (50,000 x 50,000 x 1 byte = 250,000,000
bytes) - https://bomb.codes/bombs
Other Javascript considerations?
Example: https://umpox.github.io/zero-width-detection/
Zero-width characters
Invisible characters that are not usually displayed
How does this work?
Username is converted to binary
Binary username is converted to zero-width characters
Inserted zero-width username into the text
More info within link above
Mitigations: Zero-width Characters Mitigations: Terminal Attacks
“Paste Into Vim”
Paste into CLI utility
Pasting ^Z will return to the shell
Bracketed Paste Mode
When set, pasted text is delimited with control sequences so that the
program can differentiate pasted text from typed-in text
What if the attack string contains the closing delimiter?
Mitigations: Terminal Attacks (CONT.)
Takeaway
Just inspect the text outside of an execution context :)
Chrome address bar doesn’t respect newlines
iterm Advanced Paste Mode
Copy Pest
Facebook iOS app reading information from clipboard
You can’t perform that action at this time.