Unlock enhanced API scanning with Burp Suite Enterprise Edition  –  Learn more

Lab: Exploiting clickjacking vulnerability to trigger DOM-based XSS

PRACTITIONER

This lab contains an XSS vulnerability that is triggered by a click. Construct a clickjacking attack that fools the user into clicking the "Click me" button to call the print() function.

Note

The victim will be using Chrome so test your exploit on that browser.

Solution

  1. Go to the exploit server and paste the following HTML template into the Body section:

    <style> iframe { position:relative; width:$width_value; height: $height_value; opacity: $opacity; z-index: 2; } div { position:absolute; top:$top_value; left:$side_value; z-index: 1; } </style> <div>Test me</div> <iframe src="YOUR-LAB-ID.web-security-academy.net/feedback?name=<img src=1 onerror=print()>&email=hacker@attacker-website.com&subject=test&message=test#feedbackResult"></iframe>
  2. Make the following adjustments to the template:
    • Replace YOUR-LAB-ID in the iframe src attribute with your unique lab ID so that the URL points to the target website's "Submit feedback" page.
    • Substitute suitable pixel values for the $height_value and $width_value variables of the iframe (we suggest 700px and 500px respectively).
    • Substitute suitable pixel values for the $top_value and $side_value variables of the decoy web content so that the "Submit feedback" button and the "Test me" decoy action align (we suggest 610px and 80px respectively).
    • Set the opacity value $opacity to ensure that the target iframe is transparent. Initially, use an opacity of 0.1 so that you can align the iframe actions and adjust the position values as necessary. For the submitted attack a value of 0.0001 will work.
  3. Click Store and then View exploit.
  4. Hover over "Test me" and ensure the cursor changes to a hand indicating that the div element is positioned correctly. If not, adjust the position of the div element by modifying the top and left properties of the style sheet.
  5. Click Test me. The print dialog should open.
  6. Change "Test me" to "Click me" and click Store on the exploit server.
  7. Now click on Deliver exploit to victim and the lab should be solved.

Community solutions

Intigriti