Introduction to Multistep clickjacking

Multistep clickjacking is a sophisticated web security attack where an attacker manipulates a user through multiple steps, posing various risks. It involves overlaying a malicious element on a legitimate web page, leading the user through different pages or sections. The goal of multistep clickjacking can range from data theft to unauthorized actions. To protect against this attack, web developers should implement robust frame-busting techniques, X-Frame-Options headers, or Content-Security-Policy frame-ancestors directive. Regular security audits and input validation and output encoding practices can help protect web applications from this advanced form of clickjacking. Prioritizing web security, staying informed about emerging threats, and implementing layered defenses can help maintain a secure online environment for users.

Lab Solutions | Practical Work Time

This lab has some account functionality that is protected by a CSRF token and also has a confirmation dialog to protect against Clickjacking. To solve this lab construct an attack that fools the user into clicking the delete account button and the confirmation dialog by clicking on “Click me first” and “Click me next” decoy actions. You will need to use two elements for this lab.

You can log in to the account yourself using the following credentials: wiener:peter

Stepwise Solution of the lab:-

After accessing this lab, we first noticed My account.

So, click on My account, and let’s see what we have to do next.

Well, it’s a login form, Right?

As following credentials: wiener:peter . We filled it, and now click on Log in.

We logged in and saw that it has a few functionality. We will apply our clickjacking technique into it. Now simply click on Go to exploit server.

After clicking on Go to exploit server scroll down a little bit. Now paste the below payload into the body section.

<style>
	iframe {
		position:relative;
		width:$width_value;
		height: $height_value;
		opacity: $opacity;
		z-index: 2;
	}
   .firstClick, .secondClick {
		position:absolute;
		top:$top_value1;
		left:$side_value1;
		z-index: 1;
	}
   .secondClick {
		top:$top_value2;
		left:$side_value2;
	}
</style>
<div class="firstClick">Test me first</div>
<div class="secondClick">Test me next</div>
<iframe src="YOUR-LAB-ID.web-security-academy.net/my-account"></iframe>

First of all, let me remind you to understand the overview of this lab. You need some basic knowledge of HTML iframe tag & CSS. Now what I did is replace YOUR-LAB-ID.web-security-academy.net/my-account to my LAB link. And according to my screen, I set the width and height also the top & left. So yeah you may ask why we do this and what’s the logic of it, Right? So actually the logic is victim will never understand what will happen to him.

Click on Store and view exploit.

I positioned Test me first & Test me next on both buttons. Well, so the victim would never understand. For more fooling the victim we can lower the opacity to 0.0001 instead of 0.1.

Return to the exploit server and change “Test me first” to “Click me first” and “Test me next” to “Click me next”.Then click on Deliver exploit to victim.

BOOM! We’ve solved this lab successfully.

So Guys you had completed the topic i.e. Clickjacking, Now as you have mastered the topic Clickjacking after completing the last topic i.e. Multistep Clickjacking. Please follow us for more details & Good Luck!

Thank you for reading, if this article really helps you then do share it with your mates.
And follow @masaudsec on Twitter.