Clickjacking for Shells

Andrew Horton (urbanadventurer) presented Clickjacking for Shells at the OWASP Wellington, New Zealand Chapter Meeting on September 20th, 2011.

Two years after the world was warned about clickjacking, popular web apps are still vulnerable and no web app exploits have been published. With many security pros considering clickjacking to have mere nuisance value on social networks, the attack is grossly underestimated. I will demonstrate step by step how to identify vulnerable applications, how to write exploits that attack web apps and also how to protect against clickjacking. To demonstrate this issue I will publish an 0day clickjacking exploit for WordPress v3.1.2 and earlier to gain a shell on the webserver. In May this year the tech media reported and speculated upon clickjacking protection being implemented in WordPress and now I will show you why it is so important.
# ITS © # 2009 - 2011

Clickjacking

Clickjacking is the process of hijacking a user's click in a web browser and redirect it to do an entirely different action than desired by the user naturally. The way this is done is by creating a visual illusion, where the user is not able to see the real item he is clicking, instead he is made to believe that he clicking something entirely different.

A hacker accomplishes this by creating a transparent iframe which contains the target page in which there is an item he wants the victim to click. He then embeds this iframe into a malicious page controlled by him. When a user visits this malicious page, the hacker makes the iframe always hover under the user's mouse. As the iframe is transparent the user is never able to see it and thus clicks on one of the items in the malicious page. This click actually happens on the target item, in the target page. Thus the user is tricked into clicking something he never meant to.

# ITS ©

# 2008 - 2009