web-application-penetration-testing

Apitest is platform for test all your API requests.

About Vulnerability:

Bug Name : Click-jack attack
On URL : https://www.apitest.io/

Proof of Concept :

  • Create a Notepad file And Put This All Code in this File and Save it .htm Or .Html
  • Clickjaking POC by Ankit Sethi. I made the top frame change to being partially transparent with JavaScript when the mouse pointer is over the frames so you can see what site is actually on the top frame. When the malicious site tries to trick people all that is ever seen is the bottom frame. They try to get the victim to click on stuff on the bottom frame while actually the victim is affecting the site in the top frame (which they do not see).

  • Step 2:- Open This in Any Browser and see Click Jacking vulnerability in your Site (Check My Attached Screen Shot)

Impact :-

  • A click on the link actually happens on the iframe. Bingo! If the visitor is logged into apitest.io (and most of time he is), then apitest.io receives the click on behalf of the visitor.
  • Actually, any single-click action is doable. All we need is to position the victim site iframe right. Most of time, the markup allows it.
  • Key events are much harder to hijack, because if the iframe is invisible, then the text in it’s input fields are invisible too. The visitor will start to type, but won’t see any text and won’t continue the action.

    Here user profile page, dashboard all are in click jacking so here its very dangerous because an attacker can easily make google clickjack code to hack any user.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    *