📕
Blog
  • 🐞Vulnerabilities & Techniques
    • Web Vulnerabilities
      • Open Redirect
      • HTTP Parameter Pollution (HPP)
      • Host Header Injection (HHI)
      • XSS
      • HTML-Injection
      • clickjacking
      • S3
      • EXternal Xml Entity (XXE)
      • XSS prevention | CSP
      • DOM-XSS
      • SQL Injection | SQLI
      • Response Manipulation Technique & How Burp Suite Works
    • API Vulnerabilities
      • Mass Assignment Vulnerability
  • 🚩CTF
    • ASCWG
  • ✍️Writeups
    • Read Writeups
      • REST API WriteUps
      • Web Vulnerabilities WriteUps
    • Technical Writeups
      • Reset Password Poisoning Via Host Header Injection Lead to (ATO)
      • OTP/2FA Bypasses
        • OTP bypasses
  • 😈TryHackMe
    • THM Advent of Cyber 3 (2021) NoSQL WriteUp
  • 🔱Web-CyberTalents
    • CyberTalents-Web-Easy
    • CyberTalents-Web-Medium
    • CyberTalents-Web-Hard
  • 🖇️Pentesting & Bug Hunting Tips
    • ATO Via Host Header Injection
    • OTP Bypass
    • OutLook Plugin Pentest Guide
  • 💻Port-Swigger Labs
    • XML external entity (XXE) injection
    • DOM-XSS
      • DOM XSS in the document.write sink using source location.search
      • Lab: DOM XSS in document.write sink using source location.search inside a select element
      • Lab: DOM XSS in innerHTML sink using source location.search
      • Lab: DOM XSS in jQuery anchor href attribute sink using location.search source
      • Lab: Reflected DOM XSS
      • Lab: Stored DOM XSS
    • SQL injection
      • Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Lab: SQL injection vulnerability allowing login bypass
      • Lab: SQL injection UNION attack, determining the number of columns returned by the query
      • Lab: SQL injection UNION attack, finding a column containing text
      • Lab: SQL injection UNION attack, retrieving data from other tables
      • Lab: SQL injection UNION attack, retrieving multiple values in a single column
      • Lab: SQL injection attack, querying the database type and version on Oracle
      • Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
      • Lab: SQL injection attack, listing the database contents on non-Oracle databases
  • 🛜Wireless Networks Penetration Testing
  • ⚔️Wi-Fi Attacks
    • 🕸️Network Scanning attack
    • 🌊DOS / Flooding
      • 1️⃣DoS - Frame Flooding (Deauth, EAPOL, Beacons)
      • 2️⃣DoS- Exploiting Countermeasures (MIC failure)
    • Jamming Attacks (هجمات التشويش)
    • Probe Requests Attack
    • Handshake Attacks
      • Dictionary Attack
      • Clientless Attack
      • KRACK Attack
      • Downgrad Attack
    • Rouge AP Attack
  • Lab Notes
  • RFID and NFC
  • Bluetooth
  • ZigBee
  • Google Map Test
Powered by GitBook
On this page
  • Clickjacking (UI redressing)
  • 📚 What Is Clickjacking (UI redressing)?
  • ⚔ Clickjacking Attack Example
  • 🔎 How To Find?
  • 🛠 Tools
  • ⚙ Clickjacking mitigation
  • 📕 Reference
  • 🔬 Labs
  1. Vulnerabilities & Techniques
  2. Web Vulnerabilities

clickjacking

PreviousHTML-InjectionNextS3

Last updated 2 years ago

Clickjacking (UI redressing)

Content

📚 What Is Clickjacking (UI redressing) ?

⚔ Clickjacking Attack Example

🔎 How To Find

🛠 Tools

🛺 Clickjacking mitigation

📕 Referance

🔬 Labs

📚 What Is Clickjacking (UI redressing)?

Clickjacking is an attack that tricks a user into clicking a webpage element that is invisible or disguised as another element.

This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees.

The user believes they are clicking the visible page but in fact, they are clicking an invisible element in the additional page transposed on top of it.

Clickjacking attacks use CSS to create and manipulate layers.

The attacker incorporates the target website as an iframe layer overlaid on the decoy website. An example using the style tag and parameters is as follows:

Basic Payload

⚔ Clickjacking Attack Example

  1. The attacker creates an attractive page that promises to give the user a free trip to Tahiti.

  2. In the background, the attacker checks if the user is logged into his banking site and if so, loads the screen that enables transfer of funds, using query parameters to insert the attacker’s bank details into the form.

  3. The bank transfer page is displayed in an invisible iframe above the free gift page, with the “Confirm Transfer” button exactly aligned over the “Receive Gift” button visible to the user.

  4. The user visits the page and clicks the “Book My Free Trip” button.

  5. In reality, the user is clicking on the invisible iframe and has clicked the “Confirm Transfer” button. Funds are transferred to the attacker.

  6. The user is redirected to a page with information about the free gift (not knowing what happened in the background).

🔎 How To Find?

Find clickjacking vulnerabilities using Burp Suite’s web vulnerability scanner

There are many browsers extensions that inform you when the page is vulnerable to Clickjacking

A basic way to test if your site is vulnerable to clickjacking is to create an HTML page and attempt to include a sensitive page from your website in an iframe. It is important to execute the test code on another web server because this is the typical behavior in a clickjacking attack.

View the HTML page in a browser and evaluate the page as follows:

  • If the text “Website is vulnerable to clickjacking” appears and below it, you see the content of your sensitive page, the page is vulnerable to clickjacking. ✅

  • If only the text “Website is vulnerable to clickjacking” appears, and you do not see the content of your sensitive page, the page is not vulnerable to the simplest form of clickjacking. ❌

🛠 Tools

⚙ Clickjacking mitigation

There are three main mechanisms that can be used to defend against Clickjacking:

  1. Preventing the browser from loading the page in the frame using the X-Frame-Options or Content Security Policy (frame-ancestors) HTTP headers.

  2. Properly setting authentication cookies with SameSite=Strict (or Lax), unless they explicitly need None (which is rare).

  3. Implementing JavaScript code in the page to attempt to prevent it from being loaded in a frame (known as a “frame-buster”).

  1. X-Frame-Options header There are three values allowed:

    1. DENY – does not allow any domain to display this page within a frame

    2. SAMEORIGIN – allows the current page to be displayed in a frame on another page, but only within the current domain

    3. ALLOW-FROM URI – allows the current page to be displayed in a frame, but only in a specific URI – for example, www.example.com/frame-page

  2. Content Security Policy (CSP)

    Content Security Policy (CSP) is a detection and prevention mechanism that provides mitigation against attacks such as XSS and clickjacking. CSP is usually implemented in the web server as a return header of the form:

    The recommended clickjacking protection is to incorporate the frame-ancestors directive in the application’s Content Security Policy:

    1. The frame-ancestors ‘none’ directive is similar in behavior to the X-Frame-Options deny directive.

    2. The frame-ancestors ‘self’ directive is broadly equivalent to the X-Frame-Options sameorigin directive. The following CSP whitelists frames to the same domain only:

    3. Alternatively, framing can be restricted to named sites:

      Equivalent to the

📕 Reference

🔬 Labs

is a tool for generating clickjacking attacks. When you have found a web page that may be vulnerable to clickjacking, you can use Burp Clickbandit to create an attack and confirm that the vulnerability can be successfully exploited.

Install this Machine and will have a lot of Labs like DVWA, BWAPP, and Webgoat, etc

🐞
Burp Clickbandit
Portswigger
OWASP
Hacktricks
Imperva
clickbandit
portswigger
OWASP Broken Web Applications Project
clickjacking