meet Malik kakyzai, total security expert....seriously, just ask him.

No explicit questions like "how do I hack xxx.com" please!
Post Reply
User avatar
bad_brain
Site Owner
Site Owner
Posts: 11616
Joined: 06 Apr 2005, 16:00
16
Location: The zone.
Contact:

meet Malik kakyzai, total security expert....seriously, just ask him.

Post by bad_brain »

just got 4 mails sent to the tech-support@ address of one of my main clients, telling me how totally insecure things are with their website and even their mail (which is handled by gmail lol).

so if you and your mates are looking for a cool drinking game: have a shot every time you read something that makes no sense at all....you'll be hammered in no time:

Code: Select all

Hi team,

This time I found this vulnerability in your website.

VULNERABILITY REPORT 4 : CLICK JACKING CAN LEAD TO ACCOUNT TAKEOVER

*Issue:*

Clickjacking (User Interface redress attack, UI redress attack, UI
redressing) is a malicious technique of tricking a Web user into clicking on
something different from what the user perceives they are clicking on, thus
potentially revealing confidential information or taking control of their
computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this
website could be at risk of a clickjacking attack. The X-Frame-Options HTTP
response header can be used to indicate whether or not a browser should be
allowed to render a page in a <frame> or <iframe>. Sites can use this to
avoid clickjacking attacks, by ensuring that their content is not embedded
into other sites.

This vulnerability affects Web Server.

POC

Here are the steps to reproduce the vulnerability

*1.open notepad and paste the following code *
<!DOCTYPE HTML>
<html lang="en-US">
<head>
<meta charset="UTF-8">
<title>i Frame</title>
</head>
<body>
<h3>This is clickjacking vulnerable</h3>
<iframe src="https://beyondphilosophy.com/" frameborder="2 px"
height="500px" width="500px"></iframe>
</body>
</html>
2.save it as <anyname>.html eg s.html
3.and just simply open that..

4. Understanding the Remedial Action for Clickjacking

Clickjacking can be prevented using a host of client side browser plugins
such as
• NoScript – http://noscript.net
• Web Protection Suite – http://www.comitari.com/Web_Protection_Suite
These plugins are recommended for daily browsing and can also protect users
against additional client side attacks, such as XSS (Cross Site Scripting).
The above plugins are client side prevention techniques that should be
taught to all application users; however, steps must also be taken from the
developer’s end.

The following techniques can be used to aid in the prevention of
clickjacking:

4.1. X-Frame-Options

The simplest of all the techniques that only requires a simple
configuration setting; for example, this can be done within Apache using
the following line:

<pre lang="JavaScript" line="1">Header always append X-Frame-Options
DENY</pre>

4.2. FrameBusting JavaScript

This method utilizes JavaScript to “bust” iframes. This is done by checking
if the current web page is the top web page (not within a frame) and if the
web page is currently not the top page, then it becomes the top page.

The following example segment of code can be used to demonstrate this:

<pre lang="JavaScript" line="1">if (top.location.hostname !=
self.location.hostname){
top.location.href = self.location.href;
}</pre>

It should be noted that recent techniques have found to be able to bypass
this clickjacking prevention technique as seen in the whitepaper by web
application security researcher Collin Jackson –
http://www.collinjackson.com/research/xssauditor.pdf.

4.3.Unique URL request

Similar to a CSRF nonce, this can be employed so attackers cannot deliver
the attack URL easily.

4.4. CAPTCHAs

Similar to the way it prevents attackers from spamming a web form,
this can be used as an additional layer of verification on each transaction.

4.5. Element Randomization

Generally it is possible to clickjack due to buttons and links being in a
static area of the web page, allowing attackers to place invisible frames
over them. A technique to prevent this from occurring is to randomize the
links or buttons on load, thus preventing attackers from hard coding static
iframes.

*Proof of concept:*
[image: image.png]
[image: image.png]
*EXPLOIT: *

The impact is high. This vulnerability can be linked to a multitude of
attacks including keylogging and stealing user credentials.

An example of an attack on an application could consist of sending out
emails to authenticated users of the application. This would require either
some amount of inside knowledge to target specific users. Alternatively,
mass emails could be sent out in the hope one user logged in to the
application responds. The email would contain an “interesting” link which
directs the victim to a landing page displaying an advert.


On the landing page is a “skip this ad” link that has a transparent iframe
located over it (placed by the attacker). When the victim then clicks on
the link, they will interact with the attacker’s malicious code.

Further examples of clickjacking attacks can be seen occurring in the past
on social media sites where victims are enticed into clicking links which
spam their contacts as reported by the BBC News –
http://www.bbc.co.uk/news/10224434.

The clickjacking attack:

The “clickjacking” attack allows an evil page to click on a “victim site”
on behalf of the visitor.

Many sites were hacked this way, including Twitter, Facebook, Paypal and
other sites. They are all fixed, of course.

The idea:

The idea is very simple.

Here’s how clickjacking was done with Facebook:

A visitor is lured to the evil page. It doesn’t matter how.
The page has a harmless-looking link on it (like “get rich now” or “click here,
very funny”).
Over that link the evil page positions a transparent <iframe> with src from
facebook.com, in such a way that the “Like” button is right above that
link. Usually that’s done with z-index.
In attempting to click the link, the visitor in fact clicks the button.

Here’s how the evil page looks. To make things clear, the <iframe> is
half-transparent (in real evil pages it’s fully transparent):

*The Demo : *

<!DOCTYPE HTML>
<html>
<head>
  <meta charset="utf-8">
</head><body>

<style>
iframe { /* iframe from the victim site */
  width: 400px;
  height: 100px;
  position: absolute;
  top:0; left:-20px;
  opacity: 0.5; /* in real opacity:0 */
  z-index: 1;
}
</style>

<div>Click to get rich now:</div>

<!-- The url from the victim site -->
<iframe src="/clickjacking/facebook.html"></iframe>

<button>Click here!</button>

<div>...And you're cool (I'm a cool hacker actually)!</div>

</body>
</html>

The above demo attack which I showed you in the above scenario can be done
on your website by making the exploit according to your website as your
website is vulnerable to click jacking.

Reference :
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OWASP-CS-004)
SOLUTION:
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet


Thanks.
Looking after your response. Have a nice day
-- 
Regards
Security Research Team
Image

User avatar
ayu
Staff
Staff
Posts: 8094
Joined: 27 Aug 2005, 16:00
16
Contact:

Re: meet Malik kakyzai, total security expert....seriously, just ask him.

Post by ayu »

wow...
"The best place to hide a tree, is in a forest"

User avatar
ph0bYx
Staff Member
Staff Member
Posts: 2030
Joined: 22 Sep 2008, 16:00
13
Contact:

Re: meet Malik kakyzai, total security expert....seriously, just ask him.

Post by ph0bYx »

Not sure I understand the purpose of the email. Is he trying to sell his services to fix these issues or was this just some educational spam email? :D

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11616
Joined: 06 Apr 2005, 16:00
16
Location: The zone.
Contact:

Re: meet Malik kakyzai, total security expert....seriously, just ask him.

Post by bad_brain »

he sent those mails (there were 4 of them, I only used the shortest one) to the tech-support address for a pretty big client site I am managing and hosting, offering "help"....either it's an unethical attempt to get a foot in the door on the market or a complete scam.
that kind of sales strategy is called fear marketing, I had a couple of similar attempts for other client sites already but this one was by far the most annoying....luckily it went straight to me, often it goes directly to the clients and then you have to deal with them being all unsettled.
Image

Post Reply