Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Clickbandit -- Can anyone explain?

James | Last updated: Jan 22, 2022 12:18AM UTC

I have a bit of an odd issue -- hopefully, someone can get to the bottom of it. I'm testing an application missing the X-Frame-Options header. If I run clickbandit -- It refuses to load the frame -- as it violates one of the CSP 'frame-src' rules, which seems odd. If I manually check a basic PoC such as the one below it works just fine: <iframe src="https://xxxxx.com/”></iframe> Any ideas? Why is clickandit refusing to load the content - but a basic HTML iframe works fine?

Gareth | Last updated: Jan 22, 2022 12:14PM UTC

Hi James At a guess this is probably because Clickbandit uses data URLs in Iframes. Please could you post the CSP violation from the console so I can confirm this. Cheers

James | Last updated: Jan 23, 2022 09:49PM UTC

Here's the console: Refused to frame 'https://EXAMPLE.com/' because it violates the following Content Security Policy directive: "frame-src https://js.EXTERNAL.com/". VM71:6772 crbug/1173575, non-JS module files deprecated. (anonymous) @ VM71:6772 VM53:575 Uncaught DOMException: Blocked a frame with origin "https://EXAMPLE.com" from accessing a cross-origin frame. at HTMLIFrameElement.iframe.onload (<anonymous>:575:14) iframe.onload @ VM53:575 load (async) ready @ VM53:573 (anonymous) @ VM53:582 (anonymous) @ VM53:584

Gareth | Last updated: Jan 24, 2022 10:05AM UTC

Hi James Because Clickbandit uses data: URL's I think this is why you see a CSP violation. A workaround for this would be to remove the CSP response headers using Burp's match and replace and use Clickbandit to construct your attack, then manually decode the data URL from base64 and save it as a separate file. Then modify the PoC code point to your base64 decoded file. We'll add an option to improve Clickbandit so you can download the files without data URL's in future. Cheers.

kevinkatler | Last updated: Oct 24, 2022 06:24AM UTC

You cannot display a lot of websites inside an iFrame. Reason being that they send an "X-Frame-Options: SAMEORIGIN" response header. This option prevents the browser from displaying iFrames that are not hosted on the same domain as the parent page. I faced the same error when displaying YouTube links. For example: https://www.youtube.com/watch?v=8WkuChVeL0s I replaced watch?v= with embed/ so the valid link will be: https://www.youtube.com/embed/8WkuChVeL0s It works well. Try to apply the same rule on your case. SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin. http://net-informations.com/q/mis/youtube.html

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.