Why Clickjacking is bad and some pentest firms are wrong

Why Clickjacking is bad and some pentest firms are wrong

I work with a fair few ladies and gents who do bug bounties and while sitting on the beach during one of our hack on the beach sessions, I posed the question “How friggin evil is clickjacking, PoC or GTFO.” The challenge was set, and here is what we decided.

exc-5d27456e6abe0c0001f478bf

I work with a far few ladies and gents who do bug bounties and while sitting on the beach during one of our hack on the beach sessions, I posed the question “How friggin evil is clickjacking, PoC or GTFO.” The challenge was set, and here is what we decided.

What we really need is a credit card company in 2019 that has a clickjacking vulnerability on their web portal. Thankfully, I actually have a card issued by S*************. I know they have a clickjacking vulnerability, despite informing them of it. For the ultimate challenge, I would open a link sent by each tester and if it passed the sniff test I would perform a £10 transfer transaction. Could they intercept it?

Apparently there is no risk, according to one big pentesting and bug bounty firm.

Clickjacking = get riCH quick scheme.

A bold statement. 5 seasoned penetration testers. 1 attack vector. 4 attacks that passed the sniff test and all £500 of stolen money. How?

Step 1 – The Web Server

To start with, what we needed was a visually similar domain name. A few were located and webservers sets up on them with valid SSL certificates. To make the journey really convincing, an email server was also set up to send and receive emails. This section is really important as it will carry the attack.

Step 2 – The Illusion

This is where the attackers html, css and javascript skills really come into play. Loading a website into a full width iFrame is easy. A 4 year old can do it. Now we add in two critical elements:

  1. Javascript glass pane

  2. Keylogger

It is possible to just use the second and keylog the entire session, but points were added for evilness. Of course, we are not going to put in here the actual code used but it took less than two hours to get the snippets from google, so enjoy that.

2.1 – Javascript Glass Pane

The purpose of the glass pane is to separate the victim from the end site. This is very literally a man-in-the-middle attack against the user. By tracking the mouse positions and clicks, it was possible to build a database of possible positions and inclinations essentially mapping the user journey.

Now came the evil part. Whenever the user entered what looked like an account transfer, the end account number and sort code was entered as the attackers, not what the victim actually thought. Anything returned on the screen was masked by a <div> that showed what the victim would have expected to see. The amount remained the same.

2.2 Keylogger

With a transaction identified, they keylogger could now replay the same transaction a few times before the user logged out. Even if you use closed the browser window, it would still run until the session times out. The keylogger, in this case, reran the same transaction minus £1.50. If it succeeded, it would re-run it again, minus £1.50 and loop until the site logged out or returned an error.

3. The Delivery

Delivering the attack is really easy. Using URL shortening delivery via twitter, facebook and linkedin all work really nicely. We even managed to set up a PPC campaign on Google by copying the actual bank’s PPC campaign and using our URLs.

4. Viable Targets

Who is at risk with this attack? Well, anyone who runs a transactional site that does not implement the header security, but good targets are:

  • Gambling sites

  • Cryptocurrency exchanges

  • Banks and credit card companies

  • All retailers (takes more work but still worth it)

Considering the remediation for this takes seconds, it is shocking that still, we find sites who are vulnerable.

  • Recent Articles
Author Details
Founder & CEO at Hedgehog Security

Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.

We would like to keep you informed about our services. Please tick the options below to receive occasional updates via

  • penetration testing steps
    Peter talks to FindMyUkCasino
  • Malware
    SB Tech Breach

    Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims.  GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.

  • Privacy
    Howto VPn

    In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.

  • WhatsApp
    How To Whatsapp Safely

    WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.

  • Morrisons Breach Update

    The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.

  • Remote Working Considerations

    With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets

  • Securing Zoom
    How To: Securing Zoom

    In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.

  • Software Security
    Dell EMC iDRAC memory corruption Vulnerability

    A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.

  • Hiscox Sues for Failing to Disclose Data Breach

    On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.

  • Software Security
    Privilege escalation on Nginx Controller up to 3.1.x Controller API

    A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest
Scroll to Top