1

I am learning Javascript. Also researching web based vulnerabilitys to learn. I just wondering how Javascript can be used to steal view page source or any text or any tokens leaking on the page via Clickjacking. I need a demo poc to see how it works. I know we can use Ctrl+C for copying leaking text on web page and Ctrl+V for pasting the copied token on the input box for hijacking. And sending to Attacker server.

user11177344
  • 11
  • 3
  • 1
    Please do a little bit effort by your own first by using a search engine and searching for [clickjacking demo code](https://www.google.com/search?q=clickjacking+demo+code). There are many hits. – Steffen Ullrich Mar 10 '19 at 13:24
  • Note that in most cases, the attackers will be able to visit the page being attacked (if for their account), and so will be able to get the source for the web page "legitimately"; for example, when attacking a bank page making transfers, the attackers will likely open an account at the bank. – Clockwork-Muse Mar 10 '19 at 23:30

1 Answers1

2

Stealing information is not easily possible and not what Clickjacking is really about.

Clickjacking is functionally similar to CSRF, in that you can perform actions on the site across origins, but you cannot retrieve information.

With Clickjacking, you can perform any click actions, and potentially also enter text by dragging it into the iframe (depending on the browser). But you cannot drag text out of the iframe, because the same origin policy prevents that.

I know we can use Ctrl+C for copying leaking text on web page and Ctrl+V for pasting the copied token on the input box for hijacking.

That's a neat idea, but it requires some unlikely user interaction.

For a quick example, consider this:

// attacker.com/clickjack.html
<div style="position: absolute; left: 10px; top: 10px; pointer-events: none;">Copy this (double click -> CTRL+C)</div>
<iframe style="opacity: 0;" height="100" width="100" scrolling="no" src="http://example.com/steal.html"></iframe>
<input type="text" placeholder="to here (CTRL+V)" oninput="alert('stolen: ' + this.value)">

// example.com/steal.html
secret

For a successful attack, a user would need to double-click on the upper-left of the page (certainly doable), press CTRL+C (unlikely), select the input, and press CTRL+V (also unlikely).

This would also only work in Firefox, as Chrome doesn't allow selecting invisible text.

You could likely improve on the attack, for example by "highlighting" the overlay text ("Copy this") once the page loses focus (so it looks as if the double click actually selected that text, instead of the text in the iframe). You can further improve the attack using JavaScript and the usual advanced Clickjacking techniques (automatically tracking the mouse cursor, etc).

There shouldn't be any way to steal source code this way (you can't use view-source:... as a src in an iframe)

tim
  • 29,018
  • 7
  • 95
  • 119