Fork: 0
0xRoM / WebSharePhishing
Browse code
initial commit
master
1 parent 9a60868 commit d26f61e88d3572dc1a7b544b78f923c5e63c9c91
root authored on 26 May 2022
Patch
Unified Split
Showing 15 changed files
View
Examples/android_app_drawer.jpg 0 → 100755
View
Examples/android_home.jpg 0 → 100755
View
Examples/android_install.jpg 0 → 100755
View
Examples/android_running.jpg 0 → 100755
View
Examples/desktop_install.png 0 → 100755
View
Examples/desktop_installed.png 0 → 100755
View
Examples/desktop_running.png 0 → 100755
View
40
README.md
WebSharePhishing
===============
 
Web share target API phishing PoC
Web share target API phishing PoC - The included PoC when put on a webserver and visited by a browser that allows (tested on android and chrome on win 10) it to be installed will create an application icon that will load the website URL as an application (with the URL bar hidden).
 
This makes for a very effective phishing application when paired with a legitimate looking icon and landing page.
 
The following two pictures demonstrate the install process, in android the bottom bar asking to install automatically appears and on windows you have to click the "install" button which becomes available when the browser/OS allows it:
 
![desktop installation](Examples/desktop_install.png)
![android installation](Examples/android_install.png)
 
Once you have installed the icon will look:
 
![desktop installed](Examples/desktop_installed.png)
![android home screen](Examples/android_home.png)
![android app drawer](Examples/android_app_drawer.png)
 
Finally once the application is launched this is how it looks:
 
![running on android](Examples/android_running.png)
![running on desktop](Examples/desktop_running.png)
View
bank-192.png 0 → 100755
View
bank-512.png 0 → 100755
View
37
index.php 0 → 100644
<!DOCTYPE html>
<html lang="en">
<head>
<title>ElBanko</title>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- import the webpage's stylesheet -->
<link rel="stylesheet" href="./style.css">
<!-- Manifest -->
<link rel="manifest" href="./manifest.json">
</head>
<body>
<h1>
Bank Demo
</h1>
<p>
<center>
<form>
<input type="text" placeholder="username" />
<input type="password" placeholder="password" />
<input type="submit" value="submit" />
</form>
</center>
</p>
 
<!-- Install/Share buttons, disabled by default -->
<div id="installContainer">
<button id="butInstall" type="button" disabled>
Install
</button>
</div>
<!-- import the webpage's javascript file -->
<script src="./script.js"></script>
</body>
</html>
View
26
manifest.json 0 → 100644
{
"short_name": "Bank",
"name": "Banking Login",
"share_target": {
"action": "index.php",
"method":"GET"
},
"description": "Log in to bank",
"icons": [
{
"src": "https://rossmarks.uk/bank/bank-192.png",
"sizes": "192x192",
"type": "image/png"
},
{
"src": "https://rossmarks.uk/bank/bank-512.png",
"sizes": "512x512",
"type": "image/png"
}
],
"start_url": "index.php",
"background_color": "#c6f2f7",
"display": "standalone",
"scope": "/bank/",
"theme_color": "#14168c"
}
View
54
script.js 0 → 100644
const divResult = document.getElementById('result');
const divInstall = document.getElementById('installContainer');
const butInstall = document.getElementById('butInstall');
 
window.addEventListener('beforeinstallprompt', (event) => {
console.log('👍', 'beforeinstallprompt', event);
// Stash the event so it can be triggered later.
window.deferredPrompt = event;
// Remove the 'hidden' class from the install button container
butInstall.removeAttribute('disabled');
});
 
butInstall.addEventListener('click', () => {
console.log('👍', 'butInstall-clicked');
const promptEvent = window.deferredPrompt
if (!promptEvent) {
// The deferred prompt isn't available.
return;
}
// Show the install prompt.
promptEvent.prompt();
// Log the result
promptEvent.userChoice.then((result) => {
console.log('👍', 'userChoice', result);
// Reset the deferred prompt variable, since
// prompt() can only be called once.
window.deferredPrompt = null;
// Hide the install button.
butInstall.setAttribute('disabled', true);
});
});
 
window.addEventListener('appinstalled', (event) => {
console.log('👍', 'appinstalled', event);
});
 
/* Only register a service worker if it's supported */
if ('serviceWorker' in navigator) {
console.log('👍', 'navigator.serviceWorker is supported');
navigator.serviceWorker.register('https://rossmarks.uk/bank/service-worker.js');
}
 
/**
* Warn the page must be served over HTTPS
* The `beforeinstallprompt` event won't fire if the page is served over HTTP.
* Installability requires a service worker with a fetch event handler, and
* if the page isn't served over HTTPS, the service worker won't load.
*/
if (window.location.protocol === 'http:') {
const requireHTTPS = document.getElementById('requireHTTPS');
const link = requireHTTPS.querySelector('a');
link.href = window.location.href.replace('http://', 'https://');
requireHTTPS.classList.remove('hidden');
}
View
17
service-worker.js 0 → 100644
self.addEventListener('install', (event) => {
console.log('👷', 'install', event);
self.skipWaiting();
});
 
self.addEventListener('activate', (event) => {
console.log('👷', 'activate', event);
return self.clients.claim();
});
 
 
self.addEventListener('fetch', function(event) {
// console.log('👷', 'fetch', event);
event.respondWith(fetch(event.request));
});
 
View
36
style.css 0 → 100644
body {
background-color: #c6f2f7;
font-family: Helvetica, Arial, sans-serif;
}
 
h1 {
text-align: center;
}
 
.hidden {
display: none !important;
}
 
button[disabled] {
opacity: 0.5;
border: 1px solid rgba(20, 22, 140, 0.5) !important;
}
 
#installContainer {
position: absolute;
bottom: 1em;
display: flex;
justify-content: center;
width: 100%;
}
 
#installContainer button {
background-color: inherit;
border: 1px solid #14168c;
font-size: 1em;
padding: 0.75em;
}
 
#butInstall {
margin-left: 1em;
}
Buy Me A Coffee