Multistep clickjacking

Description

This lab has some account functionality that is protected by a CSRF token and also has a confirmation dialogue to protect against clickjacking.

Reproduction and proof of concept

  1. Log in to the wiener:peter account on the target website.

  2. Create payload:

  • The iframe src URL points to the target website vulnerable page. In this case, the target website’s user account page, and depends on the unique lab-id.

  • An initial opacity of 0.1 to align the iframe actions and adjust the position values.

  • Initial $top_value1 and $side_value1 values of resp 330px and 50px to align the “Delete account” button with the “Test me first” decoy action.

  • Initial $top_value2 and $side_value2 variables of resp. 285px and 225px to align the “Test me next” decoy action with the “Yes” button on the confirmation page.

<style>
	iframe {
		position:relative;
		width:500px;
		height: 700px;
		opacity: 0.5;
		z-index: 2;
	}
   .firstClick, .secondClick {
		position:absolute;
		top:495px;
		left:50px;
		z-index: 1;
	}
   .secondClick {
		top:285px;
		left:200px;
	}
</style>
<div class="firstClick">Test me first</div>
<div class="secondClick">Test me next</div>
<iframe src="https://0a0100e003ab414dc0dbe6e7003a004a.web-security-academy.net/my-account"></iframe>

  1. Go to the exploit server and paste the payload into the body field of the form.

  2. Click Store and then View exploit. Hover over Test me first to make sure the cursor changes to a hand indicating that the div element is positioned correctly. If it is not, adjust the position of the div element by modifying the top and left properties inside the firstClick class of the style sheet.

  3. Click Test me first then hover over Test me next and ensure the cursor changes to a hand indicating that the div element is positioned correctly. If it is not, adjust the position of the div element by modifying the top and left properties inside the secondClick class of the style sheet.

  4. Change “Test me first” to “Click me first”, “Test me next” to “Click me next”, set opacity to 0.0001, and click Store.

Clickjacking

  1. Deliver exploit to victim

Exploitability

An attacker needs to have access to the site (wiener:peter) and construct an attack that fools the user into clicking the delete account button and the confirmation dialogue by clicking on “Click me first” and “Click me next” decoy actions.