JS/HTML injection via SSID

Question

jn4kr opened this issue 5 years ago · comments

As you can see it's possible to inject HTML/Javascript in the attack page via the ssid.

Create a beacon with the tag you wan't to inject as SSID (e.g. <svg onload="alert('1')"/> )
Select the beacon as target
Switch to the attack page

mina nageh salama · Answer 1 · Wed Mar 20 2019 19:36:42 GMT+0800 (China Standard Time)

@jn4kr ...
Does android even process these WiFi names in the available wifis list ?!

jnk · Answer 2 · Wed Mar 20 2019 20:00:04 GMT+0800 (China Standard Time)

Yeah. But i think it's off topic, so I'll sent you a mail about this topic.

Luna Simons · Answer 3 · Fri Mar 22 2019 01:41:18 GMT+0800 (China Standard Time)

Project is kinda dead but once i really don’t know what to do, i’ll think about it.

kingdevnl · Answer 4 · Sat Apr 06 2019 04:41:46 GMT+0800 (China Standard Time)

We might be able to strip out all HTML code using a REGEX?

Deleted user · Answer 5 · Thu Oct 31 2019 19:46:01 GMT+0800 (China Standard Time)