-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathIndex.html
171 lines (166 loc) · 9.06 KB
/
Index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
<!DOCTYPE html>
<html lang="en">
<head>
<title>Clipboard Demo</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Exploration into the clipboard mechanic in Operating Systems and how browsers can interact with them. Live examples included!">
<meta >
<link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/css/materialize.min.css">
<link rel="apple-touch-icon" sizes="180x180" href="images/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="32x32" href="images/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="images/favicon-16x16.png">
<link rel="manifest" href="site.webmanifest">
<link rel="stylesheet" href="css/main.css">
</head>
<body class="center-align fade-in stay-put">
<h1>Clipboard Code Demo</h1>
<p>Javascript, the premier language of the Web, is a pretty interesting language. You can't
directly take control of someone's cursor, force them to right-click, or really do anything
outside of the browser without forcing them to download and open something on their actual
machine (as Javascript is bound inside of the browser itself). However, it does have the capability to be abused,
and there are a few exceptions. I noticed that you can take control of the clipboard,
regardless of that being outside of the browser. See for yourself, press
<code>Ctrl + V</code> and paste it below (and anywhere else).
</p>
<div class="input-container">
<input placeholder="Try pasting in here!" onpaste="pasteText()"></input>
</div>
<p id="pasteChecker" class="hide">If this works, you should see the text "Pretty cool trick isn't it?"
pasted even though you know you didn't copy that. Controlling the clipboard without
permission only works on Chromium based browsers (Google Chrome, New Microsoft Edge,
Brave, Opera, etc). Mozilla, the above mentioned browsers in mobile form, and possibly
others demand permission so the request is denied.
</p>
<p>
While being able to do this in any browser may come as a shock, it has it's practical
uses (any website/application that needs to manipulate read/write to work such as a web extension).
<b>Malicious things can only be done this way if:<br><br>1) Text is copy and pasted directly
into a terminal where code can execute <br>2) Sensitive information that is left in the clipboard isn't cleared then pasted elsewhere.</b><br><br>The term for malicious things done in this fashion is called
<b>pastejacking.</b> and is mostly a threat to programmers and power users, but anyone can
be vulnerable.</p>
<p>It's also a best practice to clear your clipboard if you're copying and pasting sensitive
information in a public environment where your device is left unattended (i.e. the workplace)
as in one of the links you'll see below, the clipboard can be accessed even without logging into a computer (Windows 10).
Your clipboard can be cleared by copying anything that isn't sensitive (overriding it), however keep in mind
<b>Clipboard History</b> (
<a href="https://www.howtogeek.com/351978/using-windows-10s-new-clipboard-history-and-cloud-sync/">Win 10</a> /
<a href="https://setapp.com/how-to/how-to-view-clipboard-history-on-mac">Mac</a> /
<a href="https://www.addictivetips.com/ubuntu-linux-tips/search-clipboard-history-linux-indicator-bulletin/">Linux</a> )
may also be enabled on your computer (disabled by default on Windows 10, possible with <b>Clipboard Manager</b> in Linux).
</p>
<p>To really drive this point home, here's another demo that works in 99% of browsers as it's
done with CSS which is rarely filtered. Copy the text "Good Code" below and paste it in the input provided
(or anywhere):
</p>
<span class="code-text"><u>Good <span class="pastejack-text">Way To Get Hacked With </span> Code</u></span>
<div class="input-container">
<input placeholder="Another one, really?"></input>
</div>
<p>All in all this is an easy thing to fall for as it can be achieved with CSS and/or Javascript,
and enticing a user to copy and paste, but once you know what can happen it is an easy thing to avoid.
It's also worth noting that even with extensions that block all scripts like
<a title="Script/Ad Blocker" href="https://github.com/gorhill/uBlock">uBlock Origin (or uMatrix)</a> or disabling all Javascript in browser settings,
it can still be done with just CSS, you still have to pay attention. The clipboard by itself
can't run scripts/commands, so again just watch where you paste. I used a lot of copy and pasting
to create this, Happy Pasting!
</p>
<p id="clipReader"></p>
<h2>Want to learn more about the clipboard?</h2>
<hr>
<div class="row">
<div class="col s12 m6">
<div class="card hoverable"> <!-- Specify Card Color -->
<div class="card-content grey-text"> <!-- Specify Card Head Text Color -->
<span class="card-title">Accessing the clipboard from the lock screen in Win 10</span>
<p class="grey-text">
A short article about how you can find input fields (network settings) in the Windows 10
Login interface where you can paste text, uncovering whatever was saved to the clipboard
even without having the proper credentials.
</p>
</div>
<div class="card-action">
<a href="https://msitpros.com/?p=3746">msitpros.com/?p=3746</a>
</div>
</div>
</div>
<div class="col s12 m6">
<div class="card hoverable"> <!-- Specify Card Color -->
<div class="card-content grey-text"> <!-- Specify Card Head Text Color -->
<span class="card-title">Using a clipboard manager to run commands/scripts</span>
<p class="grey-text">
Normally a clipboard is just for copy and pasting, and is often used to assist in quicker
work, especially programming. However, with the power of a clipboard manager you can do
some powerful things to possibly improve productivity!
</p>
</div>
<div class="card-action">
<a href="https://lifehacker.com/copyq-runs-commands-and-scripts-on-content-copied-to-th-1561705745">lifehacker.com/copyq..</a>
</div>
</div>
</div>
</div>
<div class="row">
<div class="col s12 m6">
<div class="card hoverable"> <!-- Specify Card Color -->
<div class="card-content grey-text"> <!-- Specify Card Head Text Color -->
<span class="card-title">An In-depth look at the CSS version of pastejacking</span>
<p class="grey-text">
This shows off the inner workings of the second demo on this page, showing that
multiple lines of code can be hidden inside of text instead of just additional text
with their own demo.
</p>
</div>
<div class="card-action">
<a href="http://lifepluslinux.blogspot.com/2017/01/look-before-you-paste-from-website-to.html">lifepluslinux.blogspot.com/</a>
</div>
</div>
</div>
<div class="col s12 m6">
<div class="card hoverable"> <!-- Specify Card Color -->
<div class="card-content grey-text"> <!-- Specify Card Head Text Color -->
<span class="card-title">Github repository explaining pastejacking and security</span>
<p class="grey-text">
This repository includes examples and information on how to defend your terminal,
whether it be
<a href="https://medium.com/@fay_jai/what-is-vim-and-why-use-vim-54c67ce3c18e">Vim</a>,
or the command prompt in Windows and Mac. Demo 1 was based off of this repository.
</p>
</div>
<div class="card-action">
<a href="https://github.com/dxa4481/Pastejacking">github.com/dxa4481/Pastejacking</a>
</div>
</div>
</div>
</div>
<script>
navigator.clipboard.writeText("Pretty cool trick isn't it?").then(function() {
console.log("Successfully copied to clipboard. (Example 1)");
}, function() {
console.log("Couldn't copy to clipboard. (Example 1)");
});
function pasteText() {
var pasteChecker = document.getElementById("pasteChecker");
//pasteChecker.removeAttribute("class", "hide");
pasteChecker.setAttribute("class", "fade-in");
setTimeout(() => { pasteChecker.setAttribute("class", "stay-put"); }, 1500);
}
/*
I was wondering if it was possible to read someone's clipboard without user permission
but I don't think that it is possible, as I haven't seen it documented anywhere except
for working on Internet Explorer in the 2000s.
The below function can only copy/paste/cut events the user has triggered.
function clipboardMindReader() {
var clipContents = ClipboardEvent.clipboardData.getData("text/plain");
if (clipContents = "") {
console.log("says the clipboard is empty. hmm...")
} else {
document.getElementbyId("clipReader").innerHTML = clipContents;
}
}
*/
</script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0/js/materialize.min.js"></script>
</body>
</html>