Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Blackhat Europe: Next Generation Clickjacking

Next Generation Clickjacking (Paul Stone)

Abstract (source: Blackhat.com)

Clickjacking is a technique that can be used to trick users into performing unintended actions on a website by formatting a web page so that the victim clicks on concealed links, typically hidden within an IFRAME. However, in comparison to other browser-based attacks such as XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery), Clickjacking has hitherto been regarded as a limited attack technique in terms of consequences for the victim and the scenarios in which it can be used. During this talk I intend to demonstrate that this assumption is incorrect, and that today’s Clickjacking techniques can be extended to perform powerful new attacks that can affect any web application.

This talk will cover the basics of Clickjacking, quickly moving on to more powerful, and newly developed, techniques. The presentation will explore further ways in which a user can be tricked into interacting with a victim site and how these can lead to attacks such as injecting data into an application (bypassing all current CSRF protections) and the extraction of data from websites without the user’s knowledge. The demo will show several cross-browser techniques, and newly released browser-specific vulnerabilities in Internet Explorer, Firefox and Safari/Chrome which can be used to take full control of a web application.

I will also be demonstrating and releasing a new tool that allows for easy point-and-click creation of multi-step Clickjacking attacks on any web application, by visually selecting the links, buttons, fields and data to be targeted. The tool will highlight the need for improved Clickjacking defences in both browsers and web applications.

Talk Abstract –> Next Generation Clickjacking

Speaker Bio –> Paul Stone

Talk outline:

  • Quick Introduction to Clickjacking
  • Four new cross-browser attack techniques
  • Clickjacking tool
  • Browser specific exploits

Introduction to clickjacking

“Any site can frame and other site, even https”

This attack method uses iFrames to load the content in a frame. This doesn’t however mean that an attacker can read the content. This is where clickjacking comes into play.

By using a mixture of CSS and JavaScript it’s possible to fool a user into clicking a link on a page and unwillingly perform an action within the hidden iFrame instead.

Why is this important

Although this attack isn’t as widespread as XSS or CSRF (yet) interest in it is increasing and considering the age of the technique, could soon be more popular than XSS.

CSRF – Can only submit a transaction, cannot read the response directly… can be disabled using one-time tokens.

Clickjacking however can be used to bypass these token protections. The problem however is that you can only force a user to click things…. not easy to get them to fill out a form only with a mouse. One possible situation is that an attacker can pre-populate a form and then get the user to click the submit button.

Many sites make it easy for clickjacking. However if the submit button moves for any reason (adverts, etc…) then the click will fail (or perform another action).

Using the #subheading feature however, you can ensure the button appears in the expected location.

e.g. http://example.org/page.html#subheading

Even if the site doesn’t have a tag, the attacker can use the ID attribute within a form.

Drag and Drop data transfer

All browsers implement Drag and Drop API. This included cross-domain!

e.g <div ondragstart=“event.dataTransfer.setData(„some text‟)”>Drag me</div>

This gives the attacker the opportunity to use Drag and Drop to fill values into a form.

The process :

  1. Position text field in hidden iframe
  2. Get user to start dragging something
    • Scrollbar, slider, game piece
  3. Set drag data
  4. Make iframe follow cursor
  5. User releases mouse button, drops text into field
  6. Position submit button in iframe
  7. Get user to click

Downsides of Drag and Drop

Harder to get the user to carry out the process. More social engineering required.

Reversing the process

So How can we use drag and drop to be useful…. drag data out of the iFramed window (sensitive stuff) into the attackers site (and therefore make it readable).

Be forcing a user to select text on a page, you can get them to drag it out of the iFrame into the attackers site. This isn’t as tricky as it sounds.

Beyond just selecting specific text, how about we steal the whole HTML source.

Why it’s better:

  • URLs for every link on the page
  • Sourcecode for inline Javascript
  • Values in hidden form fields
  • “secret” values such as CSRF tokens

This is made possible by using editable HTML area as the drop target

Content Extraction

Two drags are needed for each page, however position doesn’t matter.

Could be useful for Intranet recon

Works in all the latest browsers (IE, FF, Safari, Chrome)

Java Drag and Drop

Sometimes getting the user to perform multiple drag and drops isn’t realistic. JAVA offers a separate drag and drop API, which is more advanced.

MouseDragGestureRecognizer class is especially interesting as it can be overridden to change a single click into a valid drag and drop action. Taking this further you can use a hidden JAVA applet to automatically perform the drag and drop without the user needing to perform any action whatsoever.

This technique is called “Form Spraying”

Some browsers require the mouse to be moved between each drop. Linux also doesn’t seem to support this technique, however Mac OS/X does.

Leaky iFrames

Although the same origin policy prevents data from being read from an embedded iFrame within the different domain.

Using fragment positioning however, it is possible to read back the scroll position of the iFrame to see if content is present. This can be useful to check if a user is logged into an account or not.

By requesting the iFrame to scroll to the form ID “currentLabel” for example, the attacker can check to see if the iFrame scrolls. If the scroll position changes, then the user is logged into the iFramed site.

It is also possible to brute-force ID’s using this technique.


X-Frame-Options –> If set it prevents the site from being used in an embedded iFrame

However this isn’t supported in older browsers. Firefox also doesn’t yet support this header

Alternatively, the site can use Frame-busting JavaScript to detect if the site is being loaded in an iFrame. This can however be bypassed using various techniques. As example, it’s possible to force an iFrame to load without JavaScript support using Firefox. In Internet Explorer it’s also possible to load a site in designMode to display the content without being interactive.

Not many sites implement protections. Those that have, are usually still vulnerable. As example, mobile versions of sites usually are not protected due to lack of support. Twitter and Facebook are examples of this.

Context App Tool (CAT)

Context App Tool (CAT).

Basic testing: See if you can put the page into an iFrame

Clickjacking tool

Browser based – best used with Firefox.

Tool takes you set by step through creating a clickjacking attack

Supports the method discussed in the presentation

Links to both tools are below

Additional Links

For more information please see the Blackhat Europe website

One response to “Blackhat Europe: Next Generation Clickjacking

  1. Pingback: Blackhat Europe: Gone, but not forgotten « ©атсн²² (in)sесuяitу

%d bloggers like this: