Users are often the weakest link when probing for vulnerabilities, and it's no surprise they can be easily fooled. One way to do this is called clickjacking. This type of attack tricks the victim into clicking something they didn't mean to click, something under the attacker's control. Burp Suite contains a useful tool called Clickbandit to generate a clickjacking attack automatically.
Clickjacking is a technique used to trick a user into unknowingly clicking on something using multiple layers, usually a button or link, when intending to click on the top layer. This can be accomplished through the use of hidden iframes, text boxes, or stylesheets. Clickjacking, also called UI redressing, is a portmanteau of the words click and hijacking. Thus, the attacker is essentially hijacking the clicks of the user to perform actions without the user's knowledge.
In recent years, Facebook "likes" have been the target of this type of attack and has come to be known as Likejacking. Basically, unsuspecting users would be tricked into liking Facebook pages that they didn't mean to like.
To get started, we need to fire up Mutillidae and Burp Suite. Next, we will configure Burp to work as a proxy in the browser so we can intercept requests.
In Firefox, navigate to "Preferences," and scroll all the way down to the section titled Network Proxy. Click on the "Settings" button, select "Manual proxy configuration," and enter 127.0.0.1 as the HTTP Proxy and 8080 as the Port. Now, check "Use this proxy server for all protocols," and make sure it is blank under No Proxy for. Click "OK," and we should be good to go.
In Burp, go to the "Proxy" tab and make sure "Intercept is on" is enabled. Next, back in Mutillidae, simply browse to the home page where we will perform the clickjacking attack. We should now see the request appear in Burp.
At the top of the window, go to the "Burp" menu, and select "Burp Clickbandit" from the drop-down. A new window will pop up with instructions for using this tool.
Following the instructions, click the "Copy Clickbandit to clipboard" button, which will copy the script to the clipboard. Next, in the browser, go back to the Mutillidae home page. In Burp, we can either forward the request or turn the intercept feature off to reload the page.
The Clickbandit banner should now appear at the top of the browser, with options to start and finish the proof of concept. We can also check the "Disable click actions" checkbox so that our clicks will not register while we are recording the attack.
Now, all we have to do is perform the series of clicks we want the victim to do. In this case, we will simply click the "Login/Register" button. When finished, click "Finish," and the proof of concept will be presented for review.
There are also options here to zoom in or out, toggle transparency, move the iframe position using the arrow keys, or reset the attack. When satisfied, hit the "Save" button to save the proof of concept locally as an HTML file for later modification and use.
When the attack is performed, and the victim clicks the hidden iframe we inserted, a message appears conveying the vulnerability.
At this point, the message can be altered in the HTML file or code can be inserted to perform more malicious activities.
Although clickjacking is not part of the OWASP Top 10, it still poses a significant danger to unsuspecting users. Consequences of this type of attack can include simple website defacement, sensitive data exposure, and deletion of private information. Luckily, there are a couple of easy ways to defend against clickjacking.
One of the easiest client-side defenses is to use an extension like NoScript, which contains a feature to prevent users from clicking on invisible or embedded objects.
Another more robust approach is to employ the use of Content Security Policy frame-ancestors, a sort of successor to the X-Frame-Options header, to disallow framing from other potentially malicious domains. Yet another defense against clickjacking is to simply ensure that there is code in place to make the current frame the top-level window of the UI at all times.
Clickjacking can be a valuable means of attack in the right situations, but it is often time-consuming to manually craft an attack. Burp Suite includes a feature called Clickbandit to automate this process, making it effortless to generate an attack. Once a proof-of-concept is created and a vulnerability is proven to exist, all it takes is some imagination to customize it for an easy point and click hack.