maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

double clickjacking

Browse Source
This commit is contained in:
Carlos Polop 2025-01-06 11:19:26 +01:00
parent 972d01bc6b
commit f426575e6a
1 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/pentesting-web/clickjacking.md
View File

@ -16,7 +16,7 @@ If you need the user to **fill a form** but you don't want to directly ask him t
### Basic Payload ### Basic Payload
```markup ```css
<style> <style>
iframe { iframe {
position:relative; position:relative;
@ -38,7 +38,7 @@ If you need the user to **fill a form** but you don't want to directly ask him t
### Multistep Payload ### Multistep Payload
```markup ```css
<style> <style>
iframe { iframe {
position:relative; position:relative;
@ -64,7 +64,7 @@ If you need the user to **fill a form** but you don't want to directly ask him t
### Drag\&Drop + Click payload ### Drag\&Drop + Click payload
```markup ```css
<html> <html>
<head> <head>
<style> <style>
@ -100,6 +100,15 @@ Example:\
You found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set these details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with the GET parameters.\ You found a **self XSS** in some private details of the account (details that **only you can set and read**). The page with the **form** to set these details is **vulnerable** to **Clickjacking** and you can **prepopulate** the **form** with the GET parameters.\
An attacker could prepare a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submitted** and the values are modified, the **user will execute the XSS**. An attacker could prepare a **Clickjacking** attack to that page **prepopulating** the **form** with the **XSS payload** and **tricking** the **user** into **Submit** the form. So, **when the form is submitted** and the values are modified, the **user will execute the XSS**.
### DoubleClickjacking
Firstly [explained in this post](https://securityaffairs.com/172572/hacking/doubleclickjacking-clickjacking-on-major-websites.html), this technique would ask the victim to double click on a button of a custom page placed in a specific location, and use the timing differences between mousedown and onclick events to load the victim page duing the double click so the **victim actually clicks a legit button in the victim page**.
An example could be seen in this video: [https://www.youtube.com/watch?v=4rGvRRMrD18](https://www.youtube.com/watch?v=4rGvRRMrD18)
> [!WARNING]
> This technique allows to trick the user to click on 1 place in the victim page bypassing every protection against clickjacking. So the attacker needs to find **sensitive actions that can be done with just 1 click, like OAuth prompts accepting permissions**.
## Strategies to Mitigate Clickjacking ## Strategies to Mitigate Clickjacking
### Client-Side Defenses ### Client-Side Defenses