Clickjacking, also known as UI-Redress attack, misleads the victim by overlaying multiple frames and making some frames invisible. Thus the victim is displayed with one webpage but his/her action is actually on another webpage that is selected by the attackers. This attack takes advantage of the HTML property called iFrame. The objective of this lab is to understand how iFrame with some Style property can be used as the tool for such an attack. Students will first create HTML webpages to learn the use of iFrame and then they will try Clickjacking attacks on the phpBB Web Application server within the lab environment.
Here is the main page of the project: http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/ClickJacking/
Here is the detail description of the project: http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/ClickJacking/ClickJacking.pdf
I. Lab Environment for this lab
According to the instructions, there are four tools I need to achieve this lab:
- Firefox web browser.
- Apache web server.
- phpBB message board web application.
- A malicious website.
The instruction states that the phpBB already exists in the /var/www/ directory; however, in this new image SEEDUbuntu 12.04, there is no phpBB web application thus, I have to
- Install phpBB web application
- Create a malicious web server
Noted: Firefox web browser and apache web server are installed in the operating system.
First, I will change use sudo command to change to root user in order to easily execute any commands required the root user.
Then, I start the apache server as follow:
I.1. Installing phpBB web application
Noted: themysql’s user namedroot not the root user Thus, the account I have is:
- Username: Root
- Password: seedubuntu
I.2. PhpBB3 Configuration with Apache
I created a soft link (shortcut) in the /var/www/ to the phpbb3 web application, so that I can make the phpBB3 accessible through the apache web server. The name of the shortcut is OriginalPhpbb.
I put the http://www.originalphpbb.com in the /etc/hosts to redirect the name of given domain.
Create a new entry for phpBB website in the apache server by appending the following information to the file /etc/apache2/sites-available/default:
<VirtualHost*:80>
ServerName www.OriginalPhpbb.com
DocumentRoot /var/www/OriginalPhpbb/
Here is the home page of the phpBB forum web application. It is indicated that the phpBB was successfully installed and configured.
I.3. Enable PhpBB3 Forum dashboard
When the phpBB is first installed, by default, its forum dashboard is disable, so I need to enable this dashboard so that I can create users to posts and perform click jacking attack.
Login as the administrator with the account (password given during the database configuration):
- Username: admin
- Password: seedubuntu
To enable the dashboard, click on the board setting and in the board setting, select the ‘No’ value at the disable board.
This is the enabled dashboard.
I.4. Create user in PhpBB3
Again in this built image, there is no existing users, so I need to create users in phpBB. In this demonstration, I will create only user titi. The procedure is the same for user alice.
In the home page of phpBB web application, click on the register.
Agree on term and agreement
I.5. Create a malicious website
- Choose a name for your new website. Let us call it www.clickjackinglab.com.
- Add the following line to the /etc/hosts file: 127.0.0.1 www.clickjackinglab.com
Create a directory called ClickjackingLab in /var/www/. All your html files should be kept in this newly created directory.
<VirtualHost*:80>
ServerName www.clickjackingLab.com
Restart the Apache server using the following command: % sudo service apache2 restart
We now successfully configure and ready to create a clickjacking scenario.
In the part 2, I will continue to solve the understanding the iFrame, the clickjacking attack scenario and the countermeasure for the clickjacking attack.