Clickjacking was first discovered in 2008 by Jeremiah Grossman and Robert Hansen. Clickjacking is a technique used to trick users into clicking a hyperlink unknowingly on a menu (hyperlink) on a website. This technique uses an iframe as the layer, and there are buttons that are set to be invisible so that the user is deceived and it looks as if the user is clicking on a real button. Clickjacking is also often referred to as UI Redressing. The essence of this attack is that the attacker tries to hijack the user, so that the user clicks on a fake hyperlink with an iframe and the buttons are set to be invisible, and then sends malicious code to the user. Now let's try to download and install DVWA, an application that is designed as a system that has many vulnerabilities, because DVWA is a web-based application that is widely used to learn to do webhacking or penetration systems, then we also use the Burp Suite application, the burp suite application. is one of the testers' favorite applications, then use the Mozilla Firefox browser, with these 3 applications we can now try to do a Clickjacking Attack Demo on our own system. Disclaimer: Never try to carry out any attacks on anyone's website if you haven't gotten permission from the manager / owner of the website and we are not responsible in this world and the hereafter for the violations that you commit.
Dissclaimer : Never try to carry out any attacks on anyone's website if you haven't gotten permission from the manager / owner of the website and we are not responsible in this world and the hereafter for the violations that you commit.
Sebelum menjalankan DVWA dan burp Suite, kita per lu melakukan konfigurasi proxy pada browser mozilla firefox agar Burp Suite bisa melakukan intercepet pada request.
Konfigurasi proxy pada mozilla firefox: Menu Navigasi “Preferences” >> “Network Settings” >> “Settings”
Then we start accessing the DVWA application using a browser and let the page load, because it is being intercepted by Burp Suite. Now check the Burp Suite that was previously running, see the image below, where the request to the DVWA application is intercepted.
klik menu “Burp” >> “Burp Clickbandit”
Click “Copy Clickbandit to clipboard” then click Close. Then on the Proxy menu in Burp Suite you can click Forward or Disable on the “Intercept is On” button so that requests are not intercepted.
Then we return to the DVWA home page, then you can right-click and select the “Inspect Element” menu >> Console >> then paste the code from Burp Suite that was copied earlier, then press Enter.
The next step is to specify the menu (hyperlink) that you want to target, we can also disable clicks by checking the menu “Disable click actions” then click Finish.
The next step is to specify the menu (hyperlink) that you want to target, we can also disable clicks by checking the menu “Disable click actions” then click Finish.
Previously I had clicked on the Instructions menu as the target menu, then clicked Finish. The menu we are targeting will show a red shade.
Previously I had clicked on the Instructions menu as the target menu, then clicked Finish. The menu we are targeting will show a red shade.
Business Risk and Impact of Clickjacking
Cliackjacking has a moderate or medium risk because this can happen to some web transactional data as well as on sensitive financial web applications. Even though it has a moderate or medium risk but the impact is high, this risk can be linked to several attacks such as keyloggers used to steal user credentials.
An example of this attack could be targeting a financial application:
The attacker will send an email to an email user in a certain organization, who then uses social engineering techniques to target certain users or sends mass emails in the hope that a user will respond, then the attacker will provide a URL containing a transparent iframe and when the user clicks on the link This starts the user interacting with the malicious code that was created by the attacker.
Preventive Clickjacking Attack
Even though Clickjacking is not in the top 10 of OWASP, this cannot be underestimated. For that we as users need to know how to prevent it, one of which is using the NoScript extension on the browser. Then if you as a web administrator you can prevent clickjacking on your website by adding the X-Frame-Options header to the webserver configuration, you can refer to this URL as a reference hardening http response headers.