Blog | G5 Cyber Security

The curse of inverse strokejacking

A rogue site can put an unrelated, third-party web application in a hidden frame – and then, by offering some seemingly legitimate functionality, entice the user to type in a body of text. As the user is typing, the attacker is free to examine key codes from within the onkeydown handler – and when desired, momentarily move focus to said hidden frame, causing the actual onkeypress event to be routed there instead. The trick essentially permits arbitrary, attacker-controlled input to be synthesized on the targeted site.”]

Source: http://lcamtuf.blogspot.com/2010/06/curse-of-inverse-strokejacking.html

Exit mobile version