CJExploiter — ClickJacking Exploit Development Assistance Tool
iSpeech.org
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the userâs knowledge, such as clicking on a button that appears to perform another function.  Clickjacking can be understood as an instance of the confused deputy problem, a term used to describe when a computer is innocently fooled into misusing its authority
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden/invisible page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.
ClickJacking Exploit Development Assistance Tool is an oversimplified practice and learning clickjacking template tool.
Clickjacking, also known as a âUI redress attackâ, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is âhijackingâ clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.
Prevention
Client-side
NoScript
Protection against clickjacking (including likejacking) can be added to Mozilla Firefox desktop and mobile versions by installing the NoScript add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or âredressedâ page elements of embedded documents or applets. According to Googleâs âBrowser Security Handbookâ from year 2008, NoScriptâs ClearClick is âthe only freely available product that offers a reasonable degree of protectionâ against Clickjacking. Protection from the newer cursorjacking attack was added to NoScript 2.2.8 RC1.
GuardedID
GuardedID (a commercial product) includes client-side clickjack protection for users of Internet Explorer and Firefox without interfering with the operation of legitimate iFrames. GuardedID clickjack protection forces all frames to become visible.
Gazelle
Gazelle is a Microsoft Research project secure web browser based on IE, that uses an OS-like security model, and has its own limited defenses against clickjacking. In Gazelle, a window of different origin may only draw dynamic content over another windowâs screen space if the content it draws is opaque.
[adsense size='1']
Server-side
Framekiller
Web site owners can protect their users against UI redressing (frame based clickjacking) on the server side by including a framekiller JavaScript snippet in those pages they do not want to be included inside frames from different sources.
Such JavaScript-based protection, unfortunately, is not always reliable. This is especially true on Internet Explorer, where this kind of countermeasure can be circumvented âby designâ by including the targeted page inside an <IFRAME SECURITY=restricted> element.
X-Frame-Options
Introduced in 2009 in Internet Explorer 8 was a new HTTP header X-Frame-Options which offered a partial protection against clickjacking and was shortly after adopted by other browsers (Safari, Firefox, Chrome, and Opera). The header, when set by website owner, declares its preferred framing policy: values of DENY,SAMEORIGIN, or ALLOW-FROM origin will prevent any framing, framing by external sites, or allow framing only by the specified site, respectively. In addition to that, some advertising sites return a non-standard ALLOWALLvalue with the intention to allow framing their content on any page (equivalent of not setting X-Frame-Options at all).
In 2013 the X-Frame-Options header has been officially published as RFC 7034, but is not an internet standard. The document is provided for informational purposes only.
Content Security Policy
The frame-ancestors directive of Content Security Policy (introduced in version 1.1) can allow or disallow embedding of content by potentially hostile pages using iframe, object, etc. This directive obsoletes the X-Frame-Options directive. If a page is served with both headers, the frame-ancestors policy should be preferred by the browser.âalthough some popular browsers disobey this requirement.
Source && Download
https://github.com/enddo/CJExploiter
Gloss