Introduction

Today I chose to talk about Clickjacking. I think some people underestimate what this attack might do, and since I have some Proof-of-Concepts (PoCs), I will be using them to illustrate this topic.

Note: I consider this to be special or less typical ClickJacking Attack, because normally, it is intended to hide the content of the iframe so that the user ends in interacting with it, which is not the case here. Yet, I think it is a nice variation.

Why Bother ?

Basically, a successful ClickJacking attack might have a serious impact on the victim’s information confidentiality and integrity of the actions he is willing to do. As an example, sending login credentials to the attacker, stealing likes from social media, there are an infinite number of possibilities regarding the context of the environment.

How is the attack accomplished ?

In HTML, there is this tag called <iframe></iframe> , that is used to display content of a website within another web site. But this content is analogous to a new tab in the browser, so it still has security related properties like the Same-Origin Policy and so on. Since the attacker controls the top page, he can actually make it look appealing for the user to interact with it. The problem resides in the fact that when the victim clicks in some element thinking it will make action ‘X’, it will instead make an action that benefits the attacker.

Materializing

So in this assessment, there was a service where you could have remote access to a bunch of machines from the outside, as long as you provided the valid credentials:

There are two major defenses against Clickjacking, which are the use of the directive Frame-Ancestors from the Content-Security-Policy HTTP Header and the X-Frame-Options Header, each of which doesn’t seem to be present in the target response headers.

By inserting its URL in the iframe tag on my malicious site we can check if it is really vulnerable:

First step to Clickjacking accomplished!

After that, I realised that the info an attacker would like to get would be a valid pair of credentials, with it an attacker would have access to the internal machines.

I tried to reproduce a scenario where the victim would somehow access my malicious page (won’t discuss how it would be accomplished since it is not in the scope of the matter) thinking it was the real website. The victim would view the original web site but it actually is viewing it within an iframe . At this point, I just needed him to enter his credentials and submit them to me.

For that, I created a hidden form, where the input boxes would be just above the ones in the iframe, with the same colour and size, and a hidden button above the original OK button.

It would look like this :

Now, when the victim writes his credentials, he will actually be writing content inside my input boxes:

The victim sees everything looking normal as the original page, however, when he clicks the button for submitting its data, he will actually be clicking my hidden submission button, sending its pair credentials to me.

Let’s Be Real…

Of course, this is a Proof of Concept, just to show the point. In the real world, more tricks would be needed, like a javascript code to clear the form so the second time the victim tried to login he would actually be logging in to the application, or the size of the iframe should be bigger to emulate the actual size of the original page, as well as having some more javascript code to also resize the hidden form taking into account the actual size of the browser’s window (zooming in/out), etc.

Solution

As I said earlier in this topic, there are two major defenses, you can use the X-Frame-Options Header or the directive Frame-Ancestors from the Content-Security-Policy HTTP Header to deny rendering your service in an iframe or even scope which domains you allow to frame your service.

For more info read here :

Greetings

Thank you for reading my first post, I hope it has added more knowledge to you and hopefully for me too with the community feedback, since it is the point of creating this blog.