4

Is it possible to steal the source code through clickjacking, so that attacker can also steal the CSRF tokens?

This is a demo attack website:

<!DOCTYPE html>
<html>

</div>
<div draggable="true" ondragstart="test();">
<h3>DRAG ME!!</h3>
<script>

function test(){

    var v1 = document.createElement('iframe');
    v1.src = "http://demo.testfire.net/search.aspx?txtSearch="
    v1.setAttribute("style", "opacity:0.5");
    v1.setAttribute("border", "0");
    v1.setAttribute("scrolling", "0");
    v1.setAttribute("id", "pi");

    document.body.appendChild(v1);

    document.getElementById("pi").onload =function(){
        alert(this.responseText);
    }

}

</script>
</html>

Now as you can see I am trying to steal the source code with the help of an alert box. But I didn't succeed in that.

What am I missing here?

Anders
  • 64,406
  • 24
  • 178
  • 215

1 Answers1

8

It is not possible to use clickjacking to get cross-origin access to the source code of a web page. This access is restricted by the same-origin policy and clickjacking does not bypass it. This means that, similar to a CSRF attack, you can cause a cross-origin action with clickjacking but you cannot read back the result of this action.

Thanks for Arminius for pointing out in a comment that it was once possible to exfiltrate content using clickjacking by using cross-origin drag and drop. See for example Clickjacking 2.0 with drag & drop or this bug for Firefox. This seems to be forbidden in the browsers for a while now, i.e. modern browsers should no longer be affected by this.

Mathieu K.
  • 139
  • 7
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 2
    However, at least historically, there have been tricks such as invisible drag-and-drop operations to exfiltrate content from cross-origin frames. – Arminius Jan 28 '18 at 14:14
  • 1
    @Arminius: thanks for the feedback. I've added it to the answer. – Steffen Ullrich Jan 28 '18 at 14:36
  • Yeah, Like my code above. But that's the question, How can I? Please see the question above. – Utkarsh Agrawal Jan 28 '18 at 15:00
  • 1
    @UtkarshAgrawal: *"How can I?"* - to cite myself: *This seems to be forbidden in the browsers since a while now, i.e. modern browsers should no longer be affected by this.* In other words: you can't. – Steffen Ullrich Jan 28 '18 at 15:18
  • Okay, so now we can't steal anything through this. But we can do XSS with it? – Utkarsh Agrawal Jan 28 '18 at 15:36
  • 1
    @UtkarshAgrawal: you might maybe use clickjacking to let the user exploit a XSS issue in the page which is only exploitable same-site. See https://www.acunetix.com/blog/articles/clickjacking-blind-xss/ – Steffen Ullrich Jan 28 '18 at 16:50