Others

SEEDLabs: Clickjacking attack lab (Part 1)

Clickjacking, also known as UI-Redress attack, misleads the victim by overlaying multiple frames and making some frames invisible. Thus the victim is...

Written by Vortana Say · 3 min read

Clickjacking, also known as UI-Redress attack, misleads the victim by overlaying multiple frames and making some frames invisible. Thus the victim is displayed with one webpage but his/her action is actually on another webpage that is selected by the attackers. This attack takes advantage of the HTML property called iFrame. The objective of this lab is to understand how iFrame with some Style property can be used as the tool for such an attack. Students will first create HTML webpages to learn the use of iFrame and then they will try Clickjacking attacks on the phpBB Web Application server within the lab environment.

Here is the main page of the project:  http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/ClickJacking/

Here is the detail description of the project: http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/ClickJacking/ClickJacking.pdf

I.  Lab Environment for this lab

According to the instructions, there are four tools I need to achieve this lab:

  1. Firefox web browser.
  2. Apache web server.
  3. phpBB message board web application.
  4. A malicious website.

The instruction states that the phpBB already exists in the /var/www/ directory; however, in this new image SEEDUbuntu 12.04, there is no phpBB web application thus, I have to

  • Install phpBB web application
  • Create a malicious web server

Noted: Firefox web browser and apache web server are installed in the operating system.

First, I will change use sudo command to change to root user in order to easily execute any commands required the root user.

Screen Shot 2015-05-25 at 07.12.34

Then, I start the apache server as follow:

Screen Shot 2015-05-25 at 07.12.54

I.1. Installing phpBB web application

The entire process of installing phpBB web application can be found in the Ubuntu community help wiki (jvin248, 2010).

 

The installation installs the phpbb3 package and perform all the database configuration. I will be prompted for the mysql root user password.
Noted: themysql’s user namedroot not the root user Thus, the account I have is:
  • Username: Root
  • Password: seedubuntu

Choosing the webserver that is used for this phpbb3 web application. Here I use apache web server.

Screen Shot 2015-05-25 at 07.31.19

The phpBB3 required the configuration of the database in order to save database for the data of the web application. Here, Yes is chosen in order to configure the database.

Screen Shot 2015-05-25 at 07.31.35

I use the mysql for my database type, so I chose mysql.

Here as stated above, this is the account of the mysql root user not the root user of the SEEDUbuntu 12.04. I filled in the password, seedubuntu.
Screen Shot 2015-05-25 at 07.34.30

The password for the phpbb3 MySQL application is seedubuntu.

Re-type the input password to confirm the given password

Screen Shot 2015-05-25 at 07.37.56

Here is the password for phpBB admin in the web application. The given password is seedubuntu.

Re-type the input password to confirm the given password.

It shows that the phpBB3 web application and the database configuration are well installed and configured.

I.2. PhpBB3 Configuration with Apache

I created a soft link (shortcut) in the /var/www/ to the phpbb3 web application, so that I can make the phpBB3 accessible through the apache web server. The name of the shortcut is OriginalPhpbb.

Screen Shot 2015-05-25 at 07.43.38

I put the http://www.originalphpbb.com in the /etc/hosts to redirect the name of given domain.

Screen Shot 2015-05-25 at 07.43.44

Create a new entry for phpBB website in the apache server by appending the following information to the file /etc/apache2/sites-available/default:
<VirtualHost*:80>
ServerName www.OriginalPhpbb.com
DocumentRoot /var/www/OriginalPhpbb/


Screen Shot 2015-05-25 at 07.48.44

Here is the home page of the phpBB forum web application. It is indicated that the phpBB was successfully installed and configured.

I.3. Enable PhpBB3 Forum dashboard

When the phpBB is first installed, by default, its forum dashboard is disable, so I need to enable this dashboard so that I can create users to posts and perform click jacking attack.

Screen Shot 2015-05-25 at 07.52.10

Login as the administrator with the account (password given during the database configuration):

  • Username: admin
  • Password: seedubuntu

Screen Shot 2015-05-25 at 07.52.19

It will ask to re-type the administration account. After that I can be able to access the administration control panel.

To enable the dashboard, click on the board setting and in the board setting, select the ‘No’ value at the disable board.

This is the enabled dashboard.

I.4. Create user in PhpBB3

In the proposed clickjacking scenario, I need to create at least two users. I will create two users, titi and alice. The former is the hacker using clickjacking and the latter is normal user that will be tricked.
Again in this built image, there is no existing users, so I need to create users in phpBB. In this demonstration, I will create only user titi. The procedure is the same for user alice.
In the home page of phpBB web application, click on the register.

Agree on term and agreement

Fill in the demanded information of the user.


Screen Shot 2015-05-25 at 08.00.19

The titi account has been successfully created but it is inactive, I need to go to my email and verify; however, for this purpose I will log in as admin to activate this user manually.


Screen Shot 2015-05-25 at 08.00.34

Activiate user titi from administration control panel

I.5. Create a malicious website

  1. Choose a name for your new website. Let us call it www.clickjackinglab.com.
  2. Add the following line to the /etc/hosts file: 127.0.0.1      www.clickjackinglab.com

Screen Shot 2015-05-25 at 08.04.37

Create a directory called ClickjackingLab in /var/www/. All your html files should be kept in this newly created directory.

Create a new entry for your new website in the apache server by appending the following information to the file /etc/apache2/sites-available/default:
<VirtualHost*:80>
ServerName www.clickjackingLab.com
DocumentRoot /var/www/ClickjackingLab

Restart the Apache server using the following command: % sudo service apache2 restart

Screen Shot 2015-05-25 at 08.06.28

Check your website by accessing it through Firefox browser.

We now successfully configure and ready to create a clickjacking scenario.
In the part 2, I will continue to solve the understanding the iFrame, the clickjacking attack scenario and the countermeasure for the clickjacking attack.