Weaponizing Clickjacking Attack With Click Content Jacking
I Would like to share one simple trick to make clickjacking attack’s more impactful in simple Word’s.
Before getting into topic , let’s understand what click-jacking Means in 101 :
Clickjacking is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information while clicking on seemingly innocuous web pages. ~ Wikipedia
Clickjacking attack basically means Tricking the user into clicking something by framing Page to perform some malicious Action’s. ~ 101
- Suppose we are Targeting (http://victim.com) Which is simple Blogging Website .
- And the Site is Vulnerable to Clickjacking Attack .
- What we Do Next ?
What we normally do is , Report it as (Tricking the users to comment on Blog Post through Clickjacking ) with Severity : Low~Medium
But Wait, Don’t give up so Easily , Keep Digging Something .
By Bruteforcing or Traveling though http://victim.com application, Suppose we end up at Something like http://victim.com/api/user.json and it also doesn’t have X-FRAME-OPTIONS header.
- Now we can Chain both http://victim.com (Blog Post)and http://victim.com/api/user.json (User RestAPI Body) Together to leak the Confidential data though Blog post Comment .
- I Simply Hosted malicious.html on my server , framing both above (Blog post) and (API body).
~ Note: SOP(Same Origin Policy) will Allow Drag and Drop behavior only if Both Frames have Same Origin i.e (http://victim.com)
- Now We can see , We were able to Leak/Steal Sensitive Thing’s like (API,CSRF Token etc from API) ~ Severity : High
- The Reason Why i call it as ~ClickContentJacking(CCJ)~ is Here we are Tricking the user to Steal the Content of the Site with Drag and Drop Behaviour . Content Can be Anything It can JSON,XML,JS or HTML Body . For Demonstration Purposed I Have used JSON.
- That’s All About it !
~Feedback’s And Edit’s Are Welcome~