The Hackers Codex: Modern Web Application Attacks Demystified by Wieser Brandon

Author:Wieser, Brandon [Wieser, Brandon]
Language: eng
Format: epub
Published: 2021-03-19T16:00:00+00:00

Figure 51 – A transparent view of BurpSuite’s 1 st stage “Click Bandit” proof of concept

Figure 52 – The second stage of the “Click Bandit” attack

As can be seen in the images above, the first attack overlays the “Add” button with a clickjacking attack. When a user clicks the “Add” button, the user then needs to type in a username, and click it once to select it. The second clickjacking attack shown above mimics the click to bring down the dropdown box.

Figure 53 – Last stage of the Click Bandit attack

The second attack then overlays where the username is located and will populate in the dropdown menu after the victim searches for a user to add.

Yuri needs to modify the “Clickbandit” PoC to automatically fill out the search bar with Bezmenov’s username inbetween clickjacking attacks one and two. This can be accomplished by using a “div” html tag with a “ondragstart” event handler that uses the event.dataTransfer.setData() method, the “draggable” attribute set to "true," and the position style element set to relative, as well as the z-index set to the top.

While that might seem complicated, the code snippet below demonstrates what is needed:

<div id="payload" draggable="true" ondragstart="event.dataTransfer.setData('text/plain', ‘Bezmaneovs_Username')" style="position: relative;z-index: 1000000"><h3>DRAG ME OVER THE SEARCH BOXES AFTER CLICKING THE RED RECTANGLE</h3></div>

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.