In this article we will learn about Clickjacking, Cursorjacking & Filejacking.
Introduction[Clickjacking, Cursorjacking & Filejacking]:
Clickjacking (User Interface Redress attack, UI redress attack, UI redressing) is a malicious technique to trick a website user into clicking on something other than what the user perceives to be clicking, thereby revealing confidential information or taking control of their computer. clicking on seemingly harmless websites. This is a browser security issue that is a cross-browser and cross-platform vulnerability. Clickjack takes the form of embedded code or script that can run without the user’s knowledge, such as clicking a button that appears to perform a different function.
The term “clickjacking” was coined by Jeremiah Grossman and Robert Hansen in 2008. Clickjacking can be seen as an example of the confused proxy problem, a term used to describe a situation where a computer is innocently tricked into abusing its authority [Wikipedia]. A clickjacking attack is a common security flaw where transparent iframes and custom CSS trick users into clicking an invisible object without them knowing.
The following code is an example of a status update:
Let’s look at the code mentioned above. In this example, the user will see an “update here” button and once the user clicks the button, a prompt will appear saying “status updated”. The actual page would contain the URL where these user input values are sent. When the user clicks the submit button, the user status is updated.
To exploit this, an attacker must frame a vulnerable website in a transparent iframe.
In the above code, there is no visible presence of frame content. Thus, the user will not see the content of the iframe, instead they will only see the mentioned image.
Using CSS code and a hidden frame, the user will only see the aforementioned image instead of the actual content of the application.
If the user clicks the button, the hidden HTML form is loaded into the iframe and submits the value. This is the simplest example of how a user can be tricked into taking unwanted actions. Although the application relies on the Anti-CSRF token, it does not affect the execution of a clickjacking attack. This is because the resource to be framed is loaded normally and contains a valid Anti-CSRF token.
Note: Clickjacking is a perfect example of bypassing the Anti-CSRF token.
Now you have two frames, one is the inner and the other is the outer iframe. The inner frame is updated according to the current mouse cursor position and the outer iframe element loads the target origin that you want to exploit with the same attack. This way the mouse cursor is always where you want it to be.
The following code uses the JQuery API to dynamically update the position of the outer frame according to the current mouse coordinates:
The inner iframe style uses the opacity trick to render an invisible element:
The BeEF clickjacking module with the preceding HTML code as an inner iframe will send all clicks to the iframe.
The iframe element tracks mouse movements.
So wherever the user clicks on the page, they will click on the update status button.
The cursor is still over the button.
When the user decides to click somewhere, the click fires the button’s onClick event on the page within the frame. As you can see in the source page of the framed page, this will result in a Warning dialog box.
The same origin is bypassed using the cursor
This is usually similar to a clickjacking attack, but in this issue we will focus on the mouse cursor.
Good cursor examples were demonstrated by Eddy Bordi and improved by Maruz Niemietz. Cursorjacking tricks the user by using a custom cursor image where the pointer is displayed with an offset. The displayed cursor is shifted to the right from the actual mouse position.
Let’s look at the following page:
This is an example of CursorJacking. Click the “b” or “d” buttons.
You can see that the mouse cursor has changed using the custom image. Contains a mouse icon that moves to a static indent on the right.
Click the second button to click the first button.
In the example above, the background of the image is visible, but in a real-world scenario, the image would be a transparent background. When the user tries to click the B and D buttons on the page, they actually click the button on the left side of the page.
This new attack vector relies on completely hiding the cursor in the body of the page and adding the following style to the body element.
Let’s take another example. Another cursor image is then dynamically overlaid and associated with mouse movement events.
The following code gives you an example of this technique:
Is this a good example of a cursor?
Note: Said code written by Kotowicz & Heiderich
In this example, the mouse cursor image is replaced with a custom image. Also, the event listener is then attached to the page body, listening for mousemove events.
When the user’s mouse is moved, the event triggers the listener that results in the fake mouse cursor (the visible one) moving accordingly.
Clicking the YES button results in clicking the Tweet button.
This technique actually originally bypassed NoScript’s ClearClick Protection.
Bypass same origin policy using filejacking
Filejacking allow the extrusion of directory content from the target underlying Operating
System to the attacker’s server through clever UI manipulation within the browser.
This result is that under certain conditions, you can download files from the target server. In order to perform this attack successfully, first the target must use Chrome, because it’s the only browser which supports directory and webkitdirectory input attributes like the following.
No file chosen
Second, the attack relies on baiting the victim into clicking somewhere, similar to the clickjacking attack. In this scenario, the input element presented is hidden behind a button element.
Kotowicz published this attack in a research paper in 2011 after analyzing the impact of delivering filejacking attack to users baited with social engineering tricks.
In order to exploit filejacking, you can Google it and find server and client side code for the same. Input element should have their opacity set to 0, which will be covered by the visible button element. When the victim clicks the button, they are actually clicking the input element, assuming they need to select a download destination.
When the victim clicks on the input element, a download destination is chosen and the onchange event on the input element is then triggered and the malicious function will execute. This results in enumerating the files contained in the selected download destination and formatting the content using the form data object, which is extruded with a cross-origin Post XMLHttpRequest. And the enumerated directory file is uploaded to the server.
The origin of the two previous snippets is different, which does not prevent the attack from exploiting. The file could be extruded from the target’s OS, SOP, powered browsers such as FIREFOX, CHROME and SAFARI. In cross-origin scenarios, the browser still sees the XMLHttpRequest, even through the response cannot be read.