Injection attacks (Part 2)

iFrame injection and Clickjacking

iFrame refers to an inline frame, it is used to embed one HTML document into another HTML document.Keep on reading , i will show you how to do that.

1) If we see the URL we can see the height and width parameters are 250 and 250.

1i

2i

2) lets play with them

3i

changing these figures we can see the effect on the screen. The window shrinks to our given size.

4i

Lets Bake some code now… Not a coder ? I will bake it for you

A simple HTML code to pull the website into the iFrame which i have embedded into my code.

<html>
<title>iframe</title>
<body>
http://192.168.0.16/bWAPP/iframei.php
</body>
</html>

Save the above code in .html format and open it in a browser. We see that the iframe is called or embedded into a new html page with iframe title.

6i
Now let’s steal a few clicks

Below is a normal looking page for a website offering free movies, everyone wants FREE movies.

7i

Now we have another page to book tickets.

8i

Now lets bake come code again.

<html>
<title>iframe</title>
<body>
http://192.168.1.8/evil/clickjacking.htm
http://192.168.1.8/bWAPP/clickjacking.php
</body>
</html>

The purpose of the above code is to embed both the frames on top of each other.Below is the output.

10i

I have changed the transparency and size of the two so that you can see clearly. we have 2 confirm buttons, we will adjust them to overlap each other.

11i

Now the Confirm buttons are overlapped, if we click the confirm button to get free movies we will unknowingly be clicking the other page.An attacker will make the page totally transparent so that the victim is not able to see the other page, i have just kept the opacity to 70% for understanding.

Now lets click and see the magic.

12i

See that your stolen click has actually booked 10 movie tickets.

Now that you know how much damage this can cause, I will provide the remediation as well.I don’t want the users to fear every moment they click.

Remediation

  • Frame bursting
  • Double frame bursting
  • X-Frames

The first two options convey not to load the webpage into an iFrame. We will be keen on the X-Frames part.

X-Frame is set in the response header of the webpage which will tee the browser whether to load the page into the frame or not.

We have several options/directives for that as well.

X-Frame-options: SAME ORIGIN

The page can only be displayed in a frame on the same origin as the page itself.

X-Frame-options: ALLOW FROM source

The page can only be displayed in a frame on the specified origin.

X-Frame-options: DENY

The page cannot be displayed in a frame, regardless of the site attempting to do so.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s