You are currently viewing Clickjacking with a frame buster script

Clickjacking with a frame buster script

Introduction to Clickjacking with a frame buster script

Clickjacking with a frame buster script is a web security vulnerability where an attacker attempts to trick a user into interacting with a disguised element on a webpage. Frame buster scripts prevent webpages from being displayed within iframes or framed environments, protecting against clickjacking attacks. However, attackers can bypass or disable the script, allowing malicious overlay elements to be displayed on legitimate webpages. To mitigate this vulnerability, web developers should ensure robust frame buster scripts and implement additional security measures like Content Security Policy (CSP) or X-Frame-Options headers. Prioritizing web security, regularly reviewing and updating frame buster scripts, and implementing layered defenses can minimize the risk of clickjacking attacks and maintain a secure browsing experience for users.

Lab Solutions | Practical Work Time

This lab is protected by a frame buster which prevents the website from being framed. Can you get around the frame buster and conduct a clickjacking attack that changes the users email address?

To solve the lab, craft some HTML that frames the account page and fools the user into changing their email address by clicking on “Click me”. The lab is solved when the email address is changed.

You can log in to your own account using the following credentials: wiener:peter

Stepwise Solution of the lab:-

After accessing this lab, we first noticed My account.

Clickjacking with a frame buster

So, click on My account, and let’s see what we have to do next.

Clickjacking with a frame buster

Well, it’s a login form, Right?

As following credentials: wiener:peter . We filled it, and now click on Log in.

We logged in and saw that it has a few functionality. We will apply our clickjacking technique into it. Now simply click on Go to exploit server.

After clicking on Go to exploit server scroll down a little bit. Now paste the below payload into the body section.

<style>
    iframe {
        position:relative;
        width:$width_value;
        height: $height_value;
        opacity: $opacity;
        z-index: 2;
    }
    div {
        position:absolute;
        top:$top_value;
        left:$side_value;
        z-index: 1;
    }
</style>
<div>Test me</div>
<iframe sandbox="allow-forms"
src="YOUR-LAB-ID.web-security-academy.net/my-account?email=hacker@attacker-website.com"></iframe>

First of all, let me remind you to understand the overview of this lab. You need some basic knowledge of HTML iframe tag & CSS. Now what I did is replace YOUR-LAB-ID.web-security-academy.net/my-account to my LAB link. And according to my screen, I set the width and height also the top & left. So yeah you may ask why we do this and what’s the logic of it, Right? So actually the logic is victim will never understand what will happen to him.

Click on Store and view exploit.

I positioned Test me on Update email. Well, so the victim would never understand. For more fooling the victim we can lower the opacity to 0.0001 instead of 0.1.

Return to the exploit server and change “Test me” to “Click me”.Then click on Deliver exploit to victim.

BOOM! We’ve solved this lab successfully.

Be ready for its other parts 🙂

So Guys welcome to the next topic i.e. Clickjacking, Now as you have started it complete the above topic which is Clickjacking with a frame buster script, after completing this topic then move to the next topic i.e. Multistep Clickjacking. Please follow us for more details & Good Luck!

Thank you for reading, if this article really helps you then do share it with your mates.
And follow @masaudsec on Twitter.

Tags: , , , , , , , , ,

Leave a Reply