I presented Clickjacking for Shells at the OWASP Wellington, New Zealand Chapter Meeting on September 20th, 2011.

Abstract

Two years after the world was warned about clickjacking, popular web apps are still vulnerable and no web app exploits have been published. With many security pros considering clickjacking to have mere nuisance value on social networks, the attack is grossly underestimated. I will demonstrate step by step how to identify vulnerable applications, how to write exploits that attack web apps and also how to protect against clickjacking. To demonstrate this issue I will publish an 0day clickjacking exploit for WordPress v3.1.2 and earlier to gain a shell on the webserver. In May this year the tech media reported and speculated upon clickjacking protection being implemented in WordPress and now I will show you why it is so important.

Advisory

TXT Advisory View

PDF Advisory http://security-assessment.com/files/documents/advisory/Security-Assessment.com WordPress v3.1.2 Clickjacking Advisory.pdf

Exploit code

Security-Assessment.com WordPress Clickjacking Exploit.zip Download

The ZIP file contains the following files:

clickjack.php – The final clickjacking exploit

index-1.html – Tutorial 1 of how to exploit clickjacking

index-2.html – Tutorial 2 of how to exploit clickjacking

index-2-inner.html – Part of Tutorial 2

README – Description

wordpress-add-admin-payload.js – Cross Site Scripting (XSS) Payload

wordpress-upload-shell-payload.js – Cross Site Scripting (XSS) Payload

Presentation

Clickjacking for Shells PDF (Without video demos) Download

Video