Blog | G5 Cyber Security

Automate Clickjacking Tests

G5 Cyber Security

TL;DR

This guide shows you how to automate clickjacking tests using Burp Suite and a simple Python script. This helps find websites vulnerable to attacks where users are tricked into clicking something different from what they think.

Automating Clickjacking Tests

  1. Understand Clickjacking

    2. Clickjacking exploits the way browsers handle iframes. An attacker loads a target website inside an invisible iframe, then places malicious content on top of it. When a user clicks what they *think* is a legitimate button, they’re actually clicking something else.

  2. Set up Burp Suite
    1. Download and install Burp Suite Community Edition (free).
    2. Configure your browser to use Burp as a proxy. This intercepts all web traffic. Typically, this involves setting the HTTP Proxy in your browser settings to 127.0.0.1 and port 8080.
    3. Start Burp Suite and ensure it’s listening on the correct interface (usually localhost).
  3. Identify Potential Targets

    4. Look for websites with forms, buttons, or interactive elements that could be exploited. Websites accepting sensitive data are higher priority.

  4. Create a Clickjacking Test Page (HTML)

    5. This page will contain an iframe loading the target website and potentially malicious content. Here’s a basic example:

    <!DOCTYPE html>
<html>
<head>
    <title>Clickjacking Test</title>
</head>
<body>
    <iframe src="https://example.com" width="800" height="600" style="border:none;"></iframe>
    <button onclick="alert('You clicked the malicious button!')">Click Me!</button>
</body>
</html>

    Replace https://example.com with the target website’s URL.

  5. Test Manually in Burp Suite
    1. Open your clickjacking test page in a browser configured to use Burp as a proxy.
    2. In Burp Suite, go to the ‘Proxy’ tab and then ‘Options’.
    3. Under ‘Intercept’, make sure ‘Intercept request before sending to server’ is unchecked.
    4. Navigate to your clickjacking test page in your browser.
    5. Use Burp’s ‘Burp Collaborator Client’ (or a similar tool) to detect if the target website sends any data back when the iframe is loaded or interacted with. This can indicate potential vulnerabilities.
    6. Try clicking the malicious button on your test page. Observe what happens in the browser and check Burp Suite’s ‘Proxy > HTTP history’ tab to see if the click was registered on the target website. If it was, you’ve found a vulnerability!
  6. Automate with Python (Example)

    7. This script uses Selenium to load the test page and check for specific elements being clicked.

    from selenium import webdriver
from selenium.webdriver.chrome.options import Options
import time

# Set Chrome options for headless browsing (optional)
chrome_options = Options()
chrome_options.add_argument("--headless")

driver = webdriver.Chrome(options=chrome_options)

try:
    driver.get('your_clickjacking_test_page.html') # Replace with your test page URL
    time.sleep(5)  # Allow time for the page to load

    # Example: Check if a specific element on the target website was clicked (replace selector)
    element = driver.find_element('id', 'targetElementId') # Replace with the ID of an element that should change upon clickjacking
    if element.text != "expected_value":
        print("Clickjacking vulnerability detected!")
    else:
        print("No clickjacking vulnerability found.")
except Exception as e:
    print(f"An error occurred: {e}")
finally:
    driver.quit()

    Important Notes for the Python script:

  • Reporting Vulnerabilities

    • If you find a clickjacking vulnerability, report it responsibly to the website owner or security team.

    Exit mobile version