Users are often the weakest link when looking for vulnerabilities, and it's no surprise they can easily be deceived. One way to do this is called clickjacking. In this type of attack, the victim is basically made to click on something that should not be clicked, under the control of the attacker. Burp Suite includes a useful tool called Clickbandit for automatically generating a clickjacking attack.
Clickjacking is a technique that causes a user to unknowingly click multiple levels, usually a button or a link, if that is intentional. Click on the top level. This can be achieved by using hidden iframes, text fields, or stylesheets. Clickjacking, also known as UI redressing, is an expression of the words Click and Hijacking. Therefore, the attacker essentially attacks the user's clicks to perform actions without the user's knowledge.
In recent years Facebook-Likes "Facebook" were the target of this type of attack and became known as Likejacking. In fact, unsuspecting users would tend to like Facebook pages they did not really like.
In this guide, we will use the vulnerable Mutillidae virtual machine with Burp Suite to demonstrate how fast and easy booting is possible with a clickjacking attack.
Using Clickbandit to Make an Attack
To get started, we need to launch Mutillidae and Burp Suite. Next, we'll configure Burp to act as a proxy in the browser to intercept queries.
In Firefox, navigate to "Settings" and scroll to section Network Proxy . Click the "Settings" button, select "Manual Proxy Configuration" and enter 127.0.0.1 as HTTP Proxy and 8080 as Port a . Now activate "Use this proxy server for all protocols" and make sure that it is empty under No Proxy for . Click on "OK" and we should get on the way.
In Burp, go to the Proxy tab and make sure that "Intercept" is enabled. activated. Back in Mutillidae, simply navigate to the home page where we will perform the clickjacking attack. The request should now appear in Burp.
Click "Burp" at the top of the window and select "Burp Clickbandit". from the drop-down list. A new window displays instructions for using this tool.
Click on the "Copy Clickbandit to Clipboard" script to the clipboard. Then go back to the Mutillidae homepage in the browser. In Burp, we can either forward the request or disable the intercept function to reload the page.
The clickbandit banner should now appear at the top of the browser with options to start and stop the proof of concept. We can also select the "Disable Click Action" checkbox to prevent our clicks from registering while we record the attack.
Now all we have to do is execute the series of clicks the victim should make. In this case, we simply click on the "Login / Register" button. When done, click "Finish" and the proof of concept will be submitted for review.
There are also options to increase or decrease transparency, move the position of the iframe using the arrow keys, or reset the attack. When you are satisfied, click the Save button to save and use the Proof of Concept locally as an HTML file for later modification.
When the attack is executed and the victim clicks on the hidden, displayed iframe, and a message is displayed that states the vulnerability ,
This message can be changed in the HTML file or the code can be changed
Clickjacking is prevented
Although clickjacking is not Part of the OWASP Top 10 however, it still poses a significant threat to unsuspecting users. The consequences of these types of attacks can be simple website defacement, confidentiality of data, and deletion of private information. Fortunately, there are a few simple ways to defend clickjacking.
One of the simplest client-side defenses is to use an extension like NoScript, which includes a feature that allows users to click invisible or embedded objects.  Another more robust approach is to use frame ancestors of the Content Security Policy, a kind of successor to the X-Frame Options header, to prevent framing of other potentially harmful domains. Another defense against clickjacking is simply to make sure that code is present to make the current frame the topmost UI window at all times.
Clickjacking can be a valuable offensive in the right situations, but it is often time consuming to manually execute an attack. Burp Suite includes a feature called Clickbandit to automate this process so that an attack can be easily created. Once a proof-of-concept has been created and a vulnerability has been proven, there is little imagination to adapt to a simple point-and-click hack.