2

This has something to do with a different post I made: Other post

While researching this a bit further I found the following blogpost: blog elev

As I understand it this guy reads all content of a website and then displays it in his iframe. This way the x-frame-options is circumvented and the site can be displayed. He uses this functional to test something or the other.

This got met thinking about the security implications of this.

Consider the following scenario:

  • I have a site with a login page and I set the x-frame-options to SAMEORIGIN as I do not want to be vulnerable to clickjacking attacks
  • An attacker makes a site as in the blogpost and puts all content of my site into an iframe like reported in the blogpost. He then puts an invisible iframe on top of that, which he will use to gather whatever the users will put into the login form.
  • An attacker then tricks a user to click on his link to a site that has an url similar to mine (e.g. mys1te.com).
  • The user thinks it is my site and logs in
  • The attacker has the credentials of the user

Isn't this a clickjacking attack? And if so isn't this then a way to bypass the x-frame-options? And then if so, what can be used to make a 100% sure no clickjacking is possible?

I am trying to find the holes in this story.

Wealot
  • 879
  • 2
  • 12
  • 25

1 Answers1

3

As I understand it this guy reads all content of a website and then displays it in his iframe.

He literally downloads the site's content and prints it out on his own page. This means that the content he downloaded afterwards belongs to his own domain.

But whole the idea of a clickjacking attack is that you embed a site from a different origin in a frame. For example, a simple clickjacking attack could be that I embed https://facebook.com/ in a hidden frame on my site and I position the frame in a way that as you click anywhere on my site, you actually click inside the frame and, say, involuntarily like one of my Facebook posts. Obviously, Facebook prevents this scenario by supplying an X-Frame-Options: DENY header.

However, if I proceed as in the blog post and download the Facebook page to my own domain to then embed it in my own frame, that would be pointless because clicking around in my downloaded copy of the page would not trigger any action on the real Facebook site.

  • An attacker then tricks a user to click on his link to a site that has an url similar to mine (e.g. mys1te.com).
  • The user thinks it is my site and logs in

What you describe sounds more like a phishing attack. Copying the content of a different page and making it look similar to the original will always be possible.

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • Ok clear, but (and here is my own limitation in understanding I think) is it then possible with the downloaded content to "do" a post request from the login form to the original site? And subsequently login the user to mysite.com from the evil mys1te.com? And redirect the user to the mysite.com but still log his credentials? – Wealot Mar 31 '17 at 12:59
  • @Wealot "is it then possible [..] to "do" a post request from the login form to the original site?" In theory, yes. That's actually a [cross-site-request forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) attack and can be prevent with form tokens. If the request originated from your evil site you will of course also be able to log the credentials. It's a legitimate attack, but pretty far from *clickjacking* which is what you asked about. – Arminius Mar 31 '17 at 13:04
  • 1
    thanks for your replies! Now it comes together a bit more for me (especially your CSRF response). I just didn't grasp it fully enough to understand the connections and especially understand which connections are not there :D. Thank you! – Wealot Mar 31 '17 at 13:06