A framework for JavaScript based CSRF/XSS attacks against home routers. Developed for the Languaged Based Security course at Chalmers (spring 2016).
As the framework is written in TypeScript, some assembly is required. However, most build steps are automatically handled by webpack, as specified in the webpack.config.js file.
Before trying to build the project, make sure the following is installed:
- Node.js - Only tested on >= v4.0.0, but older versions might work.
Then use NPM to install application dependencies:
npm installThere are currently two different build variants, prod and dev. The dev build includes debugging features (namely source-maps) and is not minified. The prod build produces a minified version without any source-maps.
The builds are most easily invoked via the npm run command, as below:
# Production build
npm run build:prod
# Development build
npm run build:devThe output from the builds are found in the ./dist directory.
For development, it is also possible to have the build system watch the files and rebuild the project on change. This is significantly faster than running a manual build each time. To start watching, run:
npm run watch
To run the project open the index.html file in a browser. The index.html file
is found in the output of the builds (i.e. ./dist/prod/index.html for the prod build).
A video was recorded demonstrating the framework: https://www.youtube.com/watch?v=MBjTZufinrA.
A compiled version of the script is also available on the gh-pages: http://verath.github.io/router-hijack/.