El QRLJacking o Quick Response Code Login Jacking es un vector de ataque simple pero desagradable que afecta a todas las aplicaciones que se apoyan en la función “Login with QR code” (Iniciar sesión con QR) como una forma segura de iniciar sesión en las cuentas que tiene como objetivo secuestrar la sesión de los usuarios por los atacantes.

QRLJacking es la combinación de Clickjacking + SSO (Single Sign On) + código QR.
Instalación
Requisitos previos antes de la instalación:
- Linux o MacOS. (No funciona en Windows)
- Python 3.7+
- Actualiza el navegador Firefox a la última versión
- Instala la última versión de geckodriver desde aquí y extrae el archivo y luego:
chmod +x geckodriver
sudo mv -f geckodriver /usr/local/share/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/local/bin/geckodriver
sudo ln -s /usr/local/share/geckodriver /usr/bin/geckodriver
- Clona el repositorio y dirígete a la carpeta del programa:
git clone https://github.com/OWASP/QRLJacking
cd QRLJacking/QRLJacker
- Instale todos los requisitos con
pip install -r requirements.txt
- Ahora puedes ejecutar el framework con
python3 QrlJacker.py --help
Probado en
- Ubuntu 18.04 Bionic Beaver
- Kali Linux 2018.x y superior
Uso
Argumentos de la línea de comandos
usage: QrlJacker.py [-h] [-r ] [-x ] [--debug] [--dev] [--verbose] [-q]
optional arguments:
-h, --help show this help message and exit
-r Execute a resource file (history file).
-x Execute a specific command (use ; for multiples).
--debug Enables debug mode (Identifying problems easier).
--dev Enables development mode (Reloading modules every use).
--verbose Enables verbose mode (Display more details).
-q Quit mode (no banner).
Menú de Ayuda principal
General commands
=================
Command Description
--------- -------------
help/? Show this help menu.
os <command> Execute a system command without closing the framework
banner Display banner.
exit/quit Exit the framework.
Core commands
=============
Command Description
--------- -------------
database Prints the core version, check if framework is up-to-date and update if you are not up-to-date.
debug Drop into debug mode or disable it. (Making identifying problems easier)
dev Drop into development mode or disable it. (Reload modules every use)
verbose Drop into verbose mode or disable it. (Make framework displays more details)
reload/refresh Reload the modules database.
Resources commands
==================
Command Description
--------- -------------
history Display commandline most important history from the beginning.
makerc Save the most important commands entered since start to a file.
resource <file> Run the commands stored in a file.
Sessions management commands
============================
Command Description
--------- -------------
sessions (-h) Dump session listings and display information about sessions.
jobs (-h) Displays and manages jobs.
Module commands
===============
Command Description
--------- -------------
list/show List modules you can use.
use <module> Use an available module.
info <module> Get information about an available module.
previous Runs the previously loaded module.
search <text> Search for a module by a specific text in its name or in its description.
Menú de Ayuda del módulo
General commands
=================
Command Description
--------- -------------
help/? Show this help menu.
os <command> Execute a system command without closing the framework
banner Display banner.
exit/quit Exit the framework.
Core commands
=============
Command Description
--------- -------------
database Prints the core version and then check if it's up-to-date.
debug Drop into debug mode or disable it. (Making identifying problems easier)
dev Drop into development mode or disable it. (Reload modules every use)
verbose Drop into verbose mode or disable it. (Make framework displays more details)
reload/refresh Reload the modules database.
Resources commands
==================
Command Description
--------- -------------
history Display commandline most important history from the beginning.
makerc Save the most important commands entered since start to a file.
resource <file> Run the commands stored in a file.
Sessions management commands
============================
Command Description
--------- -------------
sessions (-h) Dump session listings and display information about sessions.
jobs (-h) Displays and manages jobs.
Module commands
===============
Command Description
---------- --------------
list/show List modules you can use.
options Displays options for the current module.
set Sets a context-specific variable to a value.
run Launch the current module.
use <module> Use an available module.
info <module> Get information about an available module.
search <text> Search for a module by a specific text in its name or in its description.
previous Sets the previously loaded module as the current module.
back Move back from the current context.
Menú de ayuda de los comandos de las sesiones
usage: sessions [-h] [-l] [-K] [-s] [-k] [-i]
optional arguments:
-h Show this help message.
-l List all captured sessions.
-K Remove all captured sessions.
-s Search for sessions with a specifed type.
-k Remove a specifed captured session by ID
-i Interact with a captured session by ID.
Menú de ayuda del comando Jobs
usage: jobs [-h] [-l] [-K] [-k]
optional arguments:
-h Show this help message.
-l List all running jobs.
-K Terminate all running jobs.
-k Terminate jobs by job ID or module name
Aplicaciones y servicios web vulnerables
Hay muchas aplicaciones y servicios web conocidos que eran vulnerables a este ataque hasta la fecha en que fue escrita este documento. Aquí hay algunos ejemplos (reportados) incluyendo, pero no limitado a:
- Aplicaciones de chat: WhatsApp, WeChat, Line, Weibo, mensajería instantánea QQ
- Servicios de correo: QQ Mail (personal y empresarial), Yandex Mail
- Comercio electrónico: Alibaba, Aliexpress, Taobao, Tmall, 1688.com, Alimama, Taobao Trips
- Banca en línea: AliPay, Yandex Money, TenPay
- Servicios de pasaporte “críticos”: Yandex Passport (Yandex Mail, Yandex Money, Yandex Maps, Yandex Videos, etc.)
- Software de gestión de móviles: AirDroid
- Otros servicios: MyDigiPass, Zapper & Zapper WordPress Login by QR Code plugin, Trustly App, Yelophone, Alibaba Yunos
Repositorio aquí.