Title: Turning XSS into Clickjacking
Post by: Dark_Knight on June 14, 2010, 09:14:23 PM
Those of us who do a lot of work in the security world have come to realize that there is a ton of cross site scripting (XSS) out there. 80% of dynamic sites (or more) suffer from it. But how many sites allow you to do HTML file uploads comparatively? Itís a much smaller amount, and typically requires some sort of login before youíre allowed to do it. Often times itís protected by login too, so itís a relatively small amount of people who could be impacted by any sort of HTML file upload. But that is precisely whatís needed to mount a clickjacking attack (usually one or two pages). Either the attacker has to rent space in the cloud with a stolen credit card, or find some parasitic hosting somewhere.
Thatís when I got to thinkingÖ how can you use any old generic reflected XSS attack to mount a clickjacking attack? A few hours later I had a prototype that worked. Hereís how the attack would work. Letís say a parameter like ďsearchĒ was vulnerable to reflected XSS. An attacker could do something like:
This is an old trick that basically says anything that falls into the anchor tag is what the attacker wants to run as the attack. Anchor tags are not sent to the server, they are only seen on the client. So this effectively turns the reflected XSS into a DOM based XSS, which leaves less of a signature on the server as well, incidentally. Then the attackerís anchor payload would look something like this (this works only in Firefox):
So you have a reflected XSS on example.com that instantiates a DOM based XSS which instantiates a clickjacking attack against victim.com. Obviously youíd need to modify this to actually fit the right coordinates and work in other browsers, but this could easily be used to leverage the attack in situations where an attacker might not be able to otherwise. For instance, if the clickjacking defenses only care about the referrer and the referrer is on the correct domain just a different sub-domain, that could be used to bypass it - and so on. Anyway, I thought some people might think this is interesting. Happy penetration testing!