Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Clickbandit -- Can anyone explain?

James | Last updated: Jan 22, 2022 12:18AM UTC

I have a bit of an odd issue -- hopefully, someone can get to the bottom of it. I'm testing an application missing the X-Frame-Options header. If I run clickbandit -- It refuses to load the frame -- as it violates one of the CSP 'frame-src' rules, which seems odd. If I manually check a basic PoC such as the one below it works just fine: <iframe src="https://xxxxx.com/”></iframe> Any ideas? Why is clickandit refusing to load the content - but a basic HTML iframe works fine?

Gareth | Last updated: Jan 22, 2022 12:14PM UTC

Hi James At a guess this is probably because Clickbandit uses data URLs in Iframes. Please could you post the CSP violation from the console so I can confirm this. Cheers

James | Last updated: Jan 23, 2022 09:49PM UTC

Here's the console: Refused to frame 'https://EXAMPLE.com/' because it violates the following Content Security Policy directive: "frame-src https://js.EXTERNAL.com/". VM71:6772 crbug/1173575, non-JS module files deprecated. (anonymous) @ VM71:6772 VM53:575 Uncaught DOMException: Blocked a frame with origin "https://EXAMPLE.com" from accessing a cross-origin frame. at HTMLIFrameElement.iframe.onload (<anonymous>:575:14) iframe.onload @ VM53:575 load (async) ready @ VM53:573 (anonymous) @ VM53:582 (anonymous) @ VM53:584

Gareth | Last updated: Jan 24, 2022 10:05AM UTC

Hi James Because Clickbandit uses data: URL's I think this is why you see a CSP violation. A workaround for this would be to remove the CSP response headers using Burp's match and replace and use Clickbandit to construct your attack, then manually decode the data URL from base64 and save it as a separate file. Then modify the PoC code point to your base64 decoded file. We'll add an option to improve Clickbandit so you can download the files without data URL's in future. Cheers.

kevinkatler | Last updated: Oct 24, 2022 06:24AM UTC