In the hope that more people will build on ideas of clickjacking and developers will become aware, I decided to post the proof-of-concept that I had worked up a little while ago.

The fun thing about this particular example is that we are taking a base URL of a WordPress blog and dynamically iframing in the clickjacked content.  Of course this isn’t necessary for targeted attacks, it’s just an example of making something that would otherwise have to be targeted, more generic.

It’s worth noting that if we choose to go the targeted attack route, we can place the link in a comment, which in many cases a moderator will review (logged in).

With this one we can set the title and address of a link by setting the parameters CSRF style to the link-add.php script.  Once the user clicks, the link is automatically added to the default Blogroll.  A malicious attacker might leverage this to coerce readers into clickfraud, donations sites or drive them to a page with more direct attacks.

Devs, watch those admin pages.  You’re going to need to bust frames if you want to avoid the LOLs.

Try it out for yourself.

Note:  This has been fixed on the WordPress.com community. 

Update 6/15/09:  Not fixed in WordPress 2.8

Code 0day, clickjacking, wordpress

In the last few months we’ve heard and seen a variety of proof of concept as well as a high profile real world example of clickjacking.  I recently decided to explore the possibilities of quickly and effectively implementing these attacks through the Metasploit framework.

The result is a metasploit auxiliary module that allows the user to select a HTML file to inject attack code into, targeting a selected URL.  It works fairly well, but be prepared to type.  The nature of the attack requires quite a few settings to be entered and then I added options on top of that for flexibility.  That said, if clickjacking is your bag and you plan on doing it frequently, this may be a real timesaver.

Download clickjacker.rb

Code clickjacking, metasploit, module