A framework for JavaScript based CSRF/XSS attacks against home routers. Developed for the Languaged Based Security course at Chalmers (spring 2016).
As the framework is written in TypeScript, some assembly is required. However, most build steps are automatically handled by webpack, as specified in the webpack.config.js file.
Before trying to build the project, make sure the following is installed:
- Node.js - Only tested on >= v4.0.0, but older versions might work.
Then use NPM to install application dependencies:
npm install
There are currently two different build variants, prod and dev. The dev build includes debugging features (namely source-maps) and is not minified. The prod build produces a minified version without any source-maps.
The builds are most easily invoked via the npm run
command, as below:
# Production build
npm run build:prod
# Development build
npm run build:dev
The output from the builds are found in the ./dist
directory.
For development, it is also possible to have the build system watch the files and rebuild the project on change. This is significantly faster than running a manual build each time. To start watching, run:
npm run watch
To run the project open the index.html
file in a browser. The index.html
file
is found in the output of the builds (i.e. ./dist/prod/index.html
for the prod build).
A video was recorded demonstrating the framework: https://www.youtube.com/watch?v=MBjTZufinrA.
A compiled version of the script is also available on the gh-pages: http://verath.github.io/router-hijack/.