Others

SEEDLabs: Clickjacking attack lab (Part 2)

In the previous post, part 1, we successfully did the task 1. In this part, we are going to do solve the...

Written by Vortana Say · 4 min read

In the previous post, part 1, we successfully did the task 1. In this part, we are going to do solve the iFrame section, proposed a clickjacking attack scenario and the countermeasure for this attack.

Again here is the main page of the project:
http://www.cis.syr.edu/~wedu/seed/Lab s/Vulnerability/ClickJacking/
Here is the detail description of the project:  http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/ClickJacking/ClickJacking.pdf

Task I: Understanding iFrame

iFrame is a tag defined as inline Frame by the HTML standard. iFrame facilitates to embedd an HTML document in a frame inside a normal HTML document. HTML has an attribute called Style, which provides the user with the option of layouting the HTML element. Style attribute introduces Cascading Style Sheet (CSS) to the HTML.

In this task, the student need to get familiar with iFrame and its Style attribute:

  1. Create a webpage by copying the above mentioned code into an ”index.html” file in the website directory /etc/var/www/
  1. This is the home page opened in firefox web browser.

  1. Describe any 3 interesting observation about Style properties.a) The opacity is used to transparent the iframe object. If it equals 0.0 the ifame will be totally hided.

    b) The CSS positioning properties allow us to position an element, and place an element behind another; moreover, we can use it to specify what should happen when an element’s content is too big; an absolute position element is positioned relative to the first parent element that has a position (CSS Positioning, s.d.).

    c) The exact position of the iframe is identified given the value of the top, left properties. The most important is the width and height properties which is the size of the iframe must be given.

Task II: The Click jacking Attack

The goal of this simulation is to delete a post posted by user in the phpBB forum web application. What is the scenario?

  1. There is a user called alice posted asking if there is any event at Maharishi university of management.
  2. User titi as an attacker, posted a message reply to alice whose contents message consist of the link to his malicious website.
  3. In the malicious website there are two questions in which user needs to click on the fake buttons yes. There are two questions because originally titi know that when user clicks on delete button on each post, phpBB asks for the confirmation, thus:
    • The first fake question correspond to the delete post action
    • The second fake question correspond to the confirmation delete action In the following section, I will elaborate each action in the simulation.Note: for the new phpBB3, the action delete can be done by certain permission given from the administrator, so alice needs to be given the delete permission.

II.1. Alice created a post in PhpBB Forum

I logged in as user alice.

As alice, clicked on the Forum, and new topic to create a new post.

Here is the post of alice:
Topic: Any event at M.U.M?
Content: Hi all any event at Maharishi University of Management? Thank

II.2. Attacker titi reply alice’s post

I logged in as titi.

Attacker titi replied to alice:

Hi, alice, I got the link given from the spring gala members to win the free ticket to the spring gala event at M.U.M.
Only need to answer a question. I did it and got myself a ticket 😀
Here is the link: [url=http://www.clickjackinglab.com?p=viewtopic.php&f=2&t=3]spring gala question[/url]

Noted: [url=http://www.clickjackinglab.com?p=viewtopic.php&f=2&t=3]spring gala question[/url]

This is the link that titi embedded with his reply. The link redirect to the clickjacking website and titi gave the parameter as well because he wants the iframe in the clickjacking load the location of the phpBB web page on this post.

Here is the reply shown to alice and other users. As can be seen the text in the red rectangle is the link that redirect the user to the malicious website.

II.3. Clickjacking Operation

Here is the malicious website that user see. In real world, the domain name should change to something that does not make the user cautious.

The iframe whose url is the phpBB web application was embedded, but the opacity of the frame set to 0.0, so it hides.

When user click yes on the first question “Are you a student at Maharishi University of Management?” the user actually clicked on the delete cross button of the phpBB web application. After that the second question, “Do you want to join the spring gala event?” will be shown, while the first question is hided.

Following the iframe is shown. The fake button “yes” works as a confirmation to delete the post from the phpBB web application.

Here is the confirmation that the post is deleted.

Before delete the post.

After delete the post.

Screen Shot 2015-05-26 at 02.00.10

II.4. Implementation

In the ClickJackingLab folder in the /var/www/ directory.

  • index.php: home page of the malicious web site. Since I used php, so theextension of the file must be php.
  • Style.css: this page contain the style sheet of the web site.
  • Directory image: it store images used in the web site.

Index.php


Style.css

Task III. Protection against ClickJack attack

Frame-Busting: This technique checks if the webpage is the topmost window or embedded in a frame. If the webpage is embedded, it will bust out of the frame and makes itself as the topmost frame. This is achieved with the help of DOM property call top. The top property defines the topmost ancestor window.

// <![CDATA[
function breakout() { 
        if (window.top!=window.self) {
                  window.top.location=window.self.location;
        }
}
// ]]>

The above javascript function defines a sample frame-busting function.

This mechanism is called the frame busting. I need to embed the java script code above and call this function in order to test if the web site is used to be embedded in any frame.

The question is where should I embed this javascript code? In order to make the javascript code apply globally, I can embed either in header or footer. Fortunately, phpBB has overall header and overall footer that are used globally, so I will embed the javascript in the overall header.

I can edit the file overall_header.php manually or use the administration control panel as follow.

Log in to the administration control panel, then choose style, click on the template at the left side, after that choose overall_header.php option. Search for

and past the javascript code before this

Here I embedded the javascript code to bust the iframe.

Noticed: do not forget to call the javascript function.

Here I added the alert box to the javascript code that used to bust the iframe. The alertness shows the user that this page contain the phpBB links loaded in iframe that could be used for clickjacking attack.

When user click ok button, it will redirect to the original page that the malicious link was clicked.

Screen Shot 2015-05-26 at 02.07.13

Observation: Since the attack of the clickjacking is done using frame, thus the frame busting technique is obvious by testing if url of the website is loaded in to the iframe. However, there are two cases that this approach fail. First, users might disable javascript in the web browser. Second, in Internet Explorer, it allows using the non-standard attribute security=”restricted” that tells IE to not allow executing of javascript in the iframe, which actually is not a bad security measure for other types of attacks, but it allows the attacker to disable the frame busting script (Pot, 2009).