Using Burp to find Clickjacking Vulnerabilities

Clickjacking is a technique in which an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Manually crafting a proof of concept attack can mean laborious hours of offset-tweaking. However, you can use Burp Clickbandit, a point-and-click tool for generating clickjacking attacks, to expedite the process. When you have found a web page that may be vulnerable to clickjacking, you can use Burp Clickbandit to quickly craft an attack, to prove that the vulnerability can be successfully exploited.

Detecting Frameable Response (Potential Clickjacking)

Methodology_Clickjacking_1

If a page fails to set an appropriate X-Frame-Options or Content-Security-Policy HTTP header, it might be possible for a page controlled by an attacker to load it within an iframe. This may enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker.

Burp Scanner passively checks for this potential security flaw.

If the application you are testing is potentially susceptible to Clickjacking, an informational issue will be reported in the Target site map.

 

Clickjacking POC: Burp Clickbandit

Methodology_Clickjacking_2

Burp Clickbandit runs in your browser using JavaScript. It works on all modern browsers except for Internet Explorer and Microsoft Edge. To run Clickbandit, use the following steps.

In Burp, go to the Burp menu and select "Burp Clickbandit".

 

 

 

Methodology_Clickjacking_3

On the dialog that opens, click the "Copy Clickbandit to clipboard" button. This will copy the Clickbandit script to your clipboard.

 

 

 

Methodology_Clickjacking_4

In your browser, visit the web page that you want to test, in the usual way.

Methodology_Clickjacking_5

In your browser, open the web developer console. This might also be called "developer tools" or "JavaScript console".

Methodology_Clickjacking_6

Paste the Clickbandit script into the web developer console, and press enter.

Methodology_Clickjacking_7

The Burp Clickbandit banner will appear at the top of the browser window and the original page will be reloaded within a frame, ready for the attack to be performed.

Note: If you want to prevent the actions that your clicks will perform being executed during recording, use the "disable click actions" checkbox.

Methodology_Clickjacking_8

Then simply execute the sequence of clicks you want your victim to perform.

In this example, we are deleting an account. We click the delete button, then click "OK" in the pop up box.

Methodology_Clickjacking_9

When you've finished recording, click the "finish" button. This will then display your attack for review.

Methodology_Clickjacking_9.1

In this view you can adjust the zoom factor using the plus and minus buttons, toggle transparency allowing you to see the site underneath the button and also change the iframe position using the arrow keys.

Reset allows you to restore the original attack removing any modifications you may have made to the zoom factor or position.

Click the "save" button to download your proof-of-concept attack and save it locally.

 

Methodology_Clickjacking_10

When the clickjacking attack is complete (after the victim has clicked the last link) the message "you've been clickjacked" appears.

You can alter this message in the code to suit your needs.