Antisyphon KB

Clickjacking

Nov 04, 20242 min read

Clickjacking is an attack that uses an iFrame to load a vulnerable page, overlaid with arbitrary content so you cannot see the original page. The attacker puts UI elements in strategic locations to induce a user to click on them, but the clicks are passed through to the vulnerable page instead.

The ability to load a page in an iFrame is a necessary but not sufficient condition for the vulnerability. The page has to do something “dangerous” based solely on mouse clicks. “Dangerous” probably means something behind authentication (and then cookie-handling rules become important).

If a frame-able page has an “add pineapple to your pizza” button, that’s ripe for a clickjacking attack: a logged-in user would be in for a terrible surprise.

A login form may appear to be vulnerable, but how are you going to trick a user into typing creds for SiteA while they think they’re on SiteB? (answer: password managers that auto-fill those fields)

Even so, there’s rarely a good reason for a site to allow itself to be framed by arbitrary other sites, so it would be reasonable to report any frame-able site as “informational” even if there’s no clickjacking opportunity.

Tools

  • Burp Suite has Clickbandit, which is based on JavaScript you paste into your browser’s console. This is probably your best route to a realistic-looking attack, when it works.

  • There’s also an HTML file here that you can use for a simple custom demo. It’s an edited version of one by Tim Tomes.

    clickjacker
    The HTML comments there tell you how to use it:

    1. Use the “page” parameter to specify a URL e.g. “…clickjacker.html?page=http://pwnedhub.com”.
    2. Edit the “top” and “left” values for the #clickbutton style to put the button over something interesting

  • pasting the value of the content-security-policy header into https://csp-evaluator.withgoogle.com/ is OK, since it won’t be tied to the URL it comes from (and since Google is Google and collects this data for a living anyhow)

  • Avoid things like http://clickjacker.io/ because you’d be telling an unknown third party about the customer you’re testing.

    • Also because clickjacker.io will falsely report sites as vulnerable - it doesn’t properly read a CSP that sets frame-ancestors 'none'

Graph View

Backlinks

  • No backlinks found