As some of you know that I've been doing bug bounties for a while, today I was busy hacking a website that I cannot disclose as it was a private program from
Hackerone. I was looking for a clickjacking vulnerabity. Luckily as I was scanning the website with
Nikto, I found out that the website lacks some of the important headers that could prevent clickjacking and also it didn't have the
Anti-CSRF tokens. So I then decided to create a basic HTML clickjacking file and re-directed it to the website. This is how I created the simple HTML file:
Note that this is just a basic HTML file with nothing fancy. This code simply just verifies if the website is vulnerable to clickjacking or not. Hackers normally don't use such a basic "script", they modify the code and place their own website so that when they collect data from the victim, it sends it to their website(hackers). Its like one of those pop-ups where they tell you that you've won something then once you click - 'Get Prize!' and you enter your details, the hackers can collect your sensitive information. Another example could be a pop-up that asks for your Facebook information, then when you enter your details it and stores it to their servers (hackers). Clickjacking can be broad and it depends on who the hackers are targeting. Check the
Owasp explanation for more info on clickjacking.
So as I'm learning JavaScript, I decided that I should make a script that could check for me if a website is vulnerable to clickjacking. The script is very much basic as I'm still a NOOB in JavaScript and I hope that people will contribute to this little project I have made. The script is Open source and hosted on GitHub. You can check out the script
here.
0 comments:
Post a Comment