Clickjacking With Burp Suite

Table Of Contents

• Clickjacking With Burp Suite
  • Talk Scope
  • What Is Clickjacking?
  • Clickjacking Ex: Evil.com
  • Clickjacking Ex: Evil.com (CONT.)
  • Clickjacking Mitigations
  • Mitigations: Content Security Policy (CSP)
  • Mitigations: CSP Examples
  • Mitigations: CSP Examples (CONT.)
  • Mitigations: CSP Compatability
  • Mitigations: CSP vs X-Frame-Options
  • Mitigations: X-Frame-Options
  • Mitigations: X-Frame-Options (Compatability)
  • Burp Clickbandit Ex
  • Misc Clickjacking Examples
  • Additional Resources
  • Error Log

Talk Scope

• Learn Clickjacking through an interactive example
  • Plunker
• Leverage Burp Suite to create a Clickjacking PoC
• Learn to defend against Clickjacking attacks
  • X-Frame-Options and Content-Security-Policy
• Witness how helmet Express.js middleware can stop Clickjacking attacks

What Is Clickjacking?

• Many sensitive actions (or state changes) require clicks
• Clickjacking jacks clicks from one part of the application, and applies them to a sensitive/unintended action
• Occurs because a malicious website makes UI alterations
  • AKA "UI redress attack"

Clickjacking Ex: Evil.com

• iframe
  • Loads in Flash Settings page (or other sensitive page)
• Login Here button
  • Something the user is likely to click
• CSS alterations

Clickjacking Ex: Evil.com (CONT.)

• Plunker Example
  • https://sts.tools/clickjacking

Clickjacking Mitigations

• Content-Security-Policy
• X-Frame-Options

Mitigations: Content Security Policy (CSP)

• HTTP Response Header
• Controls the browser's security settings for a given website
• frame-ancestors directive
  • Controls if a webpage can be used within a frame or iframe
  • Evil.com Ex:
    • <iframe src="https://victim.example.com"></iframe>

Mitigations: CSP Examples

• Content-Security-Policy: frame-ancestors 'none';
  • Prevents any domain from framing the content
  • ' are required
• Content-Security-Policy: frame-ancestors 'self';
  • Only allows the current site to frame the content
    • Everything within the current origin

Mitigations: CSP Examples (CONT.)

• Content-Security-Policy: frame-ancestors 'self' '*.somesite.com' 'https://myfriend.site.com';
  • Framing access
    • Current site
    • Any page on somesite.com (using any protocol)
    • Only the page myfriend.site.com using https (with the default port 443)
• Examples via https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Mitigations: CSP Compatability

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
• CSP is relatively new vs X-Frame-Options HTTP response header

Mitigations: CSP vs X-Frame-Options

• CSP is meant to replace X-Frame-Options header
  • Many current defenses still leverage X-Frame-Options header
    • Ex: helmet library for Express.js (Node.js)
      • https://github.com/helmetjs/helmet

Mitigations: X-Frame-Options

• X-Frame-Options: DENY
• X-Frame-Options: SAMEORIGIN
• X-Frame-Options: ALLOW-FROM https://example.com/

Mitigations: X-Frame-Options (Compatability)

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Burp Clickbandit Ex

• Use Burp Suite to clickjack FAmazon Juice
• Prerequisites
  • Burp Suite
    • Security testing tool for web applications
    • https://portswigger.net/burp/communitydownload
  • FAmazon Juice

    • Intentionally vulnerable web app

      git clone https://github.com/SecuringTheStack/tutorials
      cd $TUTORIAL_REPO/ep12-clickjacking
      docker-compose up

Misc Clickjacking Examples

• Starting a malware download
• Following someone on Twitter
  • Variations for Facebook likes, etc.
• Clicking Google ads to generate pay-per-click revenue
• https://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickjacking/

Additional Resources

• Same Origin Policy Tutorial

Error Log