Learn & practice AWS Hacking:<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">\
Learn & practice GCP Hacking: <imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">](https://training.hacktricks.xyz/courses/grte)
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=clickjacking) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Katika shambulio la clickjacking, **mtumiaji** anachukuliwa **kuamini** kuwa **anaklik****kipengele** kwenye ukurasa wa wavuti ambacho ni **bila kuonekana** au kimejificha kama kipengele kingine. Manipulasi hii inaweza kusababisha matokeo yasiyokusudiwa kwa mtumiaji, kama vile kupakua malware, kuelekezwa kwenye kurasa za wavuti zenye uharibifu, kutoa akreditif au taarifa nyeti, uhamishaji wa pesa, au ununuzi wa bidhaa mtandaoni.
Wakati mwingine inawezekana **kujaza thamani ya maeneo ya fomu kwa kutumia vigezo vya GET wakati wa kupakia ukurasa**. Mshambuliaji anaweza kutumia tabia hii kujaza fomu kwa data isiyo ya kawaida na kutuma payload ya clickjacking ili mtumiaji abonyeze kitufe cha Kutuma.
Ikiwa unahitaji mtumiaji **ajaze fomu** lakini hutaki kumwambia moja kwa moja aandike taarifa maalum (kama barua pepe au nywila maalum unayojua), unaweza kumwambia tu **Drag\&Drop** kitu ambacho kitaandika data unayodhibiti kama katika [**mfano huu**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/).
Ikiwa umepata **shambulio la XSS linalohitaji mtumiaji kubonyeza** kwenye kipengee fulani ili **kuanzisha** XSS na ukurasa ni **hauna kinga dhidi ya clickjacking**, unaweza kutumia hii kumdanganya mtumiaji kubonyeza kitufe/kiungo.\
Mfano:\
_Umebaini **self XSS** katika maelezo binafsi ya akaunti (maelezo ambayo **ni wewe pekee unaweza kuweka na kusoma**). Ukurasa wenye **fomu** ya kuweka maelezo haya ni **hauna kinga** dhidi ya **Clickjacking** na unaweza **kujaza****fomu** kwa vigezo vya GET._\
\_\_Mshambuliaji anaweza kuandaa shambulio la **Clickjacking** kwa ukurasa huo **ukijaza****fomu** kwa **XSS payload** na **kumdanganya****mtumiaji** ku **wasilisha** fomu. Hivyo, **wakati fomu inawasilishwa** na thamani zimebadilishwa, **mtumiaji atatekeleza XSS**.
* **Mipangilio ya Usalama ya Kivinjari:** Baadhi ya vivinjari vinaweza kuzuia scripts hizi kulingana na mipangilio yao ya usalama au ukosefu wa msaada wa JavaScript.
* **HTML5 iframe `sandbox` Attribute:** Mshambuliaji anaweza kuondoa scripts za kuvunja fremu kwa kuweka sifa ya `sandbox` na thamani za `allow-forms` au `allow-scripts` bila `allow-top-navigation`. Hii inazuia iframe kuthibitisha ikiwa ni dirisha la juu, e.g.,
The `allow-forms` and `allow-scripts` values enable actions within the iframe while disabling top-level navigation. To ensure the intended functionality of the targeted site, additional permissions like `allow-same-origin` and `allow-modals` might be necessary, depending on the attack type. Browser console messages can guide which permissions to allow.
The **`X-Frame-Options` HTTP response header** informs browsers about the legitimacy of rendering a page in a `<frame>` or `<iframe>`, helping to prevent Clickjacking:
Further details and complex examples can be found in the [frame-ancestors CSP documentation](https://w3c.github.io/webappsec-csp/document/#directive-frame-ancestors) and [Mozilla's CSP frame-ancestors documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors).
**Content Security Policy (CSP)** is a security measure that helps in preventing Clickjacking and other code injection attacks by specifying which sources the browser should allow to load content.
* **Uthibitishaji wa Tokeni:** Tumia tokeni za anti-CSRF katika programu za wavuti ili kuhakikisha kwamba maombi yanayobadilisha hali yanafanywa kwa makusudi na mtumiaji na si kupitia ukurasa wa Clickjacked.
Tumia [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=clickjacking) kujenga na **kujiendesha kiotomatiki** kazi zinazotolewa na zana za jamii **zilizoendelea zaidi** duniani.\
Jifunze & fanya mazoezi ya AWS Hacking:<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<imgsrc="/.gitbook/assets/arte.png"alt=""data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<imgsrc="/.gitbook/assets/grte.png"alt=""data-size="line">](https://training.hacktricks.xyz/courses/grte)
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
