Hello everyone and hope you are doing good.
Today let us learn about clickjacking vulnerability what is it and how to find one. So let us dive right in.
What is clickjacking
Clickjacking is simply an attack that manipulates the users to click buttons on web pages that are hidden or disguised as legitimate elements. This can cause the unintentional download of malware, leaking credentials, redirecting to a malicious web page, transfer of money, and so on from the victim’s device.
This can cause serious damage for the user as well as the organization as sensitive information of the user or the organization is being leaked or damage is caused to the system. So let us learn how we can find this vulnerability.
How to find it
One simple way to find this is by visiting a website, going to the sign-up page, and copying its URL.
Paste the URL in the code at the iframe src element.
Now save this file as .html and open it in your browser.
If you can see the changes as below pictures, then the web application is vulnerable to clickjacking.
Original Web page
Malicious web page
There are many resources on the internet to make your own code. If you are not familiar with programming, I would suggest you learn it. But for now, there are Github repos with the code. You can find one by a simple google search. I will leave this task to you.
All the codes are the same with different styles, but let me brief you about how this works. Every code contains these basic elements
<html> — It represents the root of the HTML document.
<head> — It stores the metadata. It normally contains the data of the title, style, scripts, etc.
<title> — It is present between <head> and </head> elements. This represents the title of the document.
<body> — It defines the document’s body. It holds all elements of an HTML document.
<style> —It is used to give style (CSS) to the document.
<div> — It defines division or section in the document.
<iframe> — Iframe also called an inline frame is an HTML element that loads another HTML page within the document. When a web browser encounters an iframe element, it creates a new HTML document to load the contents within. It takes the code from the tag we give or the src we provide.
Now that you understood what these tags are, you know how the code works. So, we are basically checking if the web page can actually be changed using the iframe element.
Exploitation
The attack starts with the attacker verifying the web page is vulnerable to clickjacking.
Then the attacker creates code to perform a malicious activity(such as downloading malware or stealing credentials) and hosts it on a web server.
The malicious web page link is sent to the victim.
The victim unaware of the hidden elements(because they are not visible) will click on the button and boom!!! You are officially in the attacker’s trap.
Impact
The main impact of this vulnerability is that the attacker can steal the credentials of users, download malware on the victim’s device, make him transfer money, or get a script running on the main drive and get a hold of the user’s system. This seriously damages the reputation of the organization, as this loophole is damaging the user’s property.
Remediation
The best way to mitigate this vulnerability is by adding proper headers to the request made.
Sending proper Content Security Policy (CSP) frame, which doesn’t allow framing of the web pages from other domains.
Properly setting authentication cookies with samesite=strict
In older browsers, by including a frame-killing javascript in pages to prevent them from including in foreign iframes.
Using X-Frame-Options HTTP header to indicate whether a browser should allow to render a page in a <frame>, <iframe> or <object>tag.
This is a low-impact issue but when chained with other vulnerabilities this can have a high impact. So check the scope before trying this out.
Hope you enjoyed the article and learned something new today. Catch you all in the next post with another vulnerability. Check out my Instagram to know more about Tips and Tricks to finding bugs.
Till then take care and Happy Hacking!!!👋👋
