Monday, 29 June 2015

Hack facebook by Click Jacking




What is Clickjacking:

Clickjacking attack allows to perform an action on victim website, Mostly Facebook and Twitter accounts are targetable. 
when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top 
level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both. It may be similar to CSRF Cross Site Request Forgeries Attack.  

Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 
2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they
are typing in the password to their email or bank account, but are instead typing into 
an invisible frame controlled by the attacker. 

At present this attack mostly use on social network websites like Facebook and twitter, Because this attack is used by convinced victim for click on the link and SocialNetwork website might be very useful for attack on victim.

One famous example of clickjacking is Facebook.



Script copy from here


 <style>
 iframe { /* iframe from facebook.com */
  width:300px;
  height:100px;
  position:absolute;
  top:0; left:0;
  filter:alpha(opacity=50); /* in real life opacity=0 */
  opacity:0.5;
}
</style>

<div>Click on the link to get more followers:</div>
 
<iframe src="/files/tutorial/window/clicktarget.html"></iframe>

<a href="http://www.google.com" target="_blank" style="position:relative;left:20px;z-index:-1">CLICK ME!</a>


Download 
Click Jacking Tool 

For more information

OWASP




No comments:

Post a Comment