https://github.com/mal-tee/protector-js

POC script that can be deployed alongside (untrusted) third-party scripts to prevent unwanted changes of href-attributes.
https://github.com/mal-tee/protector-js

clickjacking javascript poc

Last synced: 12 months ago
JSON representation

POC script that can be deployed alongside (untrusted) third-party scripts to prevent unwanted changes of href-attributes.

• Host: GitHub
• URL: https://github.com/mal-tee/protector-js
• Owner: mal-tee
• License: mit
• Created: 2020-06-22T11:29:37.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2020-10-28T21:51:00.000Z (over 5 years ago)
• Last Synced: 2025-06-11T05:51:13.182Z (12 months ago)
• Topics: clickjacking, javascript, poc
• Language: JavaScript
• Homepage:
• Size: 11.7 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: Readme.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# `Protector.js`

`Protector.js` is a proof-of-concept script that can be deployed alongside (untrusted) third-party scripts to prevent Click Interception via changed href-attributes of hyperlinks. 

## Threat Model

This script only protects against unwanted changes to links which are made by third-party scripts.

## Usage

This script must be included before any third-party script.

```html

    

    

    Shop

    

    

    

      //This will be allowed by the regex

      s.href = 'shop.html#cart';

    

    

```

## Idea

`protector.js` overwrites the href attribute setter of the link-prototype.

Now this setter is called on writes like `a.href = "http://b.ad"` and we can discard unwanted changes. This is only a proof of concept and does not protect against other kinds of Click Interception. But we assume that protection against other kinds, such as Interception with Event Handlers, can be implemented similarly.