SEEDLabs: Clickjacking attack lab (Part 1)

Clickjacking, also known as UI-Redress attack, misleads the victim by overlaying multiple frames and making some frames invisible. Thus the victim is displayed with one webpage but his/her action is actually on another webpage that is selected by the attackers. This attack takes advantage of the HTML property called iFrame. The objective of this lab is to understand how iFrame with some Style property can be used as the tool for such an attack. Students will first create HTML webpages to learn the use of iFrame and then they will try Clickjacking attacks on the phpBB Web Application server within the lab environment.

Here is the main page of the project: http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/ClickJacking/

Here is the detail description of the project: http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/ClickJacking/ClickJacking.pdf

I. Lab Environment for this lab

According to the instructions, there are four tools I need to achieve this lab:

Firefox web browser.
Apache web server.
phpBB message board web application.
A malicious website.

The instruction states that the phpBB already exists in the /var/www/ directory; however, in this new image SEEDUbuntu 12.04, there is no phpBB web application thus, I have to

Install phpBB web application
Create a malicious web server

Noted: Firefox web browser and apache web server are installed in the operating system.

First, I will change use sudo command to change to root user in order to easily execute any commands required the root user.

Then, I start the apache server as follow:

I.1. Installing phpBB web application

The entire process of installing phpBB web application can be found in the Ubuntu community help wiki (jvin248, 2010).

The installation installs the phpbb3 package and perform all the database configuration. I will be prompted for the mysql root user password.
Noted: themysql’s user namedroot not the root user Thus, the account I have is:

Username: Root
Password: seedubuntu

Choosing the webserver that is used for this phpbb3 web application. Here I use apache web server.

The phpBB3 required the configuration of the database in order to save database for the data of the web application. Here, Yes is chosen in order to configure the database.

I use the mysql for my database type, so I chose mysql.

Here as stated above, this is the account of the mysql root user not the root user of the SEEDUbuntu 12.04. I filled in the password, seedubuntu.

The password for the phpbb3 MySQL application is seedubuntu.

Re-type the input password to confirm the given password

Here is the password for phpBB admin in the web application. The given password is seedubuntu.

Re-type the input password to confirm the given password.

It shows that the phpBB3 web application and the database configuration are well installed and configured.

I.2. PhpBB3 Configuration with Apache

I created a soft link (shortcut) in the /var/www/ to the phpbb3 web application, so that I can make the phpBB3 accessible through the apache web server. The name of the shortcut is OriginalPhpbb.

I put the http://www.originalphpbb.com in the /etc/hosts to redirect the name of given domain.

Create a new entry for phpBB website in the apache server by appending the following information to the file /etc/apache2/sites-available/default:
<VirtualHost*:80>
ServerName www.OriginalPhpbb.com
DocumentRoot /var/www/OriginalPhpbb/

Here is the home page of the phpBB forum web application. It is indicated that the phpBB was successfully installed and configured.

I.3. Enable PhpBB3 Forum dashboard

When the phpBB is first installed, by default, its forum dashboard is disable, so I need to enable this dashboard so that I can create users to posts and perform click jacking attack.

Username: admin
Password: seedubuntu

It will ask to re-type the administration account. After that I can be able to access the administration control panel.

To enable the dashboard, click on the board setting and in the board setting, select the ‘No’ value at the disable board.

This is the enabled dashboard.

I.4. Create user in PhpBB3

In the proposed clickjacking scenario, I need to create at least two users. I will create two users, titi and alice. The former is the hacker using clickjacking and the latter is normal user that will be tricked.
Again in this built image, there is no existing users, so I need to create users in phpBB. In this demonstration, I will create only user titi. The procedure is the same for user alice.
In the home page of phpBB web application, click on the register.

Agree on term and agreement

Fill in the demanded information of the user.

The titi account has been successfully created but it is inactive, I need to go to my email and verify; however, for this purpose I will log in as admin to activate this user manually.

Activiate user titi from administration control panel

I.5. Create a malicious website

Choose a name for your new website. Let us call it www.clickjackinglab.com.
Add the following line to the /etc/hosts file: 127.0.0.1 www.clickjackinglab.com

Create a directory called ClickjackingLab in /var/www/. All your html files should be kept in this newly created directory.

Create a new entry for your new website in the apache server by appending the following information to the file /etc/apache2/sites-available/default:
<VirtualHost*:80>
ServerName www.clickjackingLab.com

DocumentRoot /var/www/ClickjackingLab

Restart the Apache server using the following command: % sudo service apache2 restart

Check your website by accessing it through Firefox browser.

We now successfully configure and ready to create a clickjacking scenario.
In the part 2, I will continue to solve the understanding the iFrame, the clickjacking attack scenario and the countermeasure for the clickjacking attack.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

SEEDLabs: Clickjacking attack lab (Part 1)

I. Lab Environment for this lab

I.1. Installing phpBB web application

I.2. PhpBB3 Configuration with Apache

I.3. Enable PhpBB3 Forum dashboard

I.4. Create user in PhpBB3

I.5. Create a malicious website

Written by Vortana Say

How To Setup Google Assistant Trivia Game In Detail (Part 2)

How To Setup Google Assistant Trivia Game In Detail (Part 1)

Crypto Lab – Secret-Key Encryption (Part 2)