Clickjacking with Burp Suite

Clickjacking With Burp Suite

Table Of Contents

Clickjacking With Burp Suite

Talk Scope

Learn Clickjacking through an interactive example
- Plunker
Leverage Burp Suite to create a Clickjacking PoC
Learn to defend against Clickjacking attacks
- X-Frame-Options and Content-Security-Policy
Witness how helmet Express.js middleware can stop Clickjacking attacks

What Is Clickjacking?

Many sensitive actions (or state changes) require clicks
Clickjacking jacks clicks from one part of the application, and applies them to a sensitive/unintended action
Occurs because a malicious website makes UI alterations
- AKA “UI redress attack”

Clickjacking Ex: Evil.com

iframe
- Loads in Flash Settings page (or other sensitive page)
Login Here button
- Something the user is likely to click
CSS alterations

Clickjacking Ex: Evil.com (CONT.)

Plunker Example
- https://sts.tools/clickjacking

Clickjacking Mitigations

Content-Security-Policy
X-Frame-Options

Mitigations: Content Security Policy (CSP)

HTTP Response Header
Controls the browser’s security settings for a given website
frame-ancestors directive
- Controls if a webpage can be used within a frame or iframe
- Evil.com Ex:
  - <iframe src="https://victim.example.com"></iframe>

Mitigations: CSP Examples

Content-Security-Policy: frame-ancestors 'none';
- Prevents any domain from framing the content
- ' are required
Content-Security-Policy: frame-ancestors 'self';
- Only allows the current site to frame the content
  - Everything within the current origin

Mitigations: CSP Examples (CONT.)

Content-Security-Policy: frame-ancestors 'self' '*.somesite.com' 'https://myfriend.site.com';
- Framing access
  - Current site
  - Any page on somesite.com (using any protocol)
  - Only the page myfriend.site.com using https (with the default port 443)
Examples via https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

Mitigations: CSP Compatability

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
CSP is relatively new vs X-Frame-Options HTTP response header

Mitigations: CSP vs X-Frame-Options

CSP is meant to replace X-Frame-Options header
- Many current defenses still leverage X-Frame-Options header
  - Ex: helmet library for Express.js (Node.js)
    - https://github.com/helmetjs/helmet

Mitigations: X-Frame-Options

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

Mitigations: X-Frame-Options (Compatability)

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Burp Clickbandit Ex

Use Burp Suite to clickjack FAmazon Juice
Prerequisites
- Burp Suite
  - Security testing tool for web applications
  - https://portswigger.net/burp/communitydownload
- FAmazon Juice
  - Intentionally vulnerable web app
```
git clone https://github.com/SecuringTheStack/tutorials
cd $TUTORIAL_REPO/ep12-clickjacking
docker-compose up
            
```

Misc Clickjacking Examples

Starting a malware download
Following someone on Twitter
- Variations for Facebook likes, etc.
Clicking Google ads to generate pay-per-click revenue
https://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickjacking/

Additional Resources

Same Origin Policy Tutorial

Error Log