samyk/quickjack samyk/quickjack

  • Stars
    star
    227
  • Rank 170,186 (Top 4 %)
  • Language
    JavaScript
  • Created over 9 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
samyk/quickjack
github

samyk

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Quickjack is a point-and-click tool for intuitively producing advanced clickjacking and frame slicing attacks.

Quickjack

Quickjack is an intuitive, point-and-click tool for performing advanced and covert clickjacking and frame slicing attacks.

Use the Quickjack tool directly at http://samy.pl/quickjack/quickjack.html

by @SamyKamkar // [email protected] // http://samy.pl // Dec 22, 2014

Code available on github

Quickjack

Overview

Quickjack allows you to easily perform clickjacking, or steal "clicks" from users on many websites, forcing the user to unknowingly click buttons or links (e.g., the Facebook Like button) using their own cookies. By placing the auto-generated code on any site, you can obtain thousands of clicks quickly from different users, or perform targeted attacks by luring a victim to a specific URL. It also allows you to deceive a user into believing you have information on them that you don't, as well as coerce a user into providing information to you without even knowing it.

In this demonstration, we'll both steal Facebook likes without a user knowing, as well as show a user's imgur name on our own site.

Quickjack supports not only easy point-and-click generation of code, but also the underlying iframe follows the user's mouse movement around the page wherever they go, hides the clickjacking frame, and even performs a method of determining when you've obtained the user's click in order to then remove clickjacking from the page so the user can actually perform the click they meant to execute.

Quickjack also includes a frame slicing tool which allows you to capture a small section of a page to display to them, coercing them to believe you have such information on them. An example would be to slice a section of a website which normally contains the user's name, then place that frame slice on your own site, making it appear that you know their name.

You can even use frame slicing to obtain information from the user, such as slicing differnet characters of the user's name on a site, rearranging them and adding other letters and numbers, turning it into a captcha, and when the user enters the captcha, they're just entering an anagram of their name (and other characters which you remove) and can determine their name!

In this project, we'll learn how Quickjack performs these methods and how clickjacking and frame slicing work, as well as some of the more advanced techniques presented in the Quickjack tool which allow more potent clickjacking to occur, as well as see real demonstrations on sites such as Facebook.

Quickjack is originally based off of a "cake slicing" app which is no longer online.

Clickjacking was initially discovered by the amazing Robert Hansen and Jeremiah Grossman

http://samy.pl/quickjack/qj1.png

http://samy.pl/quickjack/qj2.png

Use Quickjack

Use the Quickjack tool at http://samy.pl/quickjack/quickjack.html

Source

You can simply use Quickjack online here, or acquire the source code for yourself from my github: https://github.com/samyk/quickjack

Stealing Facebook Likes

You can see how we create the clickjacking attack for Facebook in seconds in the video.

See the HTML demo (which likely won't last) here: http://samy.pl/quickjack/pwned.html which clickjacks this page: http://samy.pl/quickjack/fb.html which contains an iframe to Facebook!

Clickjacking

Clickjacking was initially discovered by the amazing Robert Hansen and Jeremiah Grossman.

Quickjack makes clickjacking fun and easy! It also adds a few advanced features that make clickjacking potent and covert.

Persistence / Mouse Tracking

By tracking the mouse, Quickjack consistently keeps the hidden clickjacking iframe directly underneath the user's mouse pointer. This ensures the moment they make a click on the page, their click has been jacked.

Click Detection

Traditionally, the person performing the clickjacking attack cannot detect when the clickjack occurred due to cross-domain policy, however we get around this by ensuring focus is in the parent window, the window we control. Although we can't detect a click or focus in the clickjacking frame, we can detect the loss of focus, or blur, within our parent window, the window we control!

This means as soon as the user clicks inside the iframe (without knowing), our window will blur, causing us to trigger a special call. Our call hides the clickjacking iframe further, ensuring the next click the user performs actually happens on the page they're on! Awesome!

Referral Scrubbing

Referral scrubbing is the method of removing your HTTP referrer so the target domain cannot discover where a clickjacking attack originated from. It is optionally allowed by using multiple redirects, or optionally by switching in and out of HTTPS.

Preventing Frame Breakout/Frame Busting

We use some older methods of frame busting evasion to prevent sites from using frame busting/breakouts in some browsers.

Frame Slicing

We use fun and intuitive frame slicing to allow you to slice a frame out of any page. Here's an actual frame slice, not an image, from imgur.

Preventing Quickjacking

You can prevent quickjacking, clickjacking or frame slicing by using the X-Frame-Options HTTP header, or following these other great instructions from OWASP.

Questions?

Feel free to contact me with any questions!

Follow @SamyKamkar on Twitter!

You can see more of my projects at http://samy.pl or contact me at [email protected].

More Repositories

1

poisontap

Exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js.
JavaScript
6,161
star
2

evercookie

Produces persistent, respawning "super" cookies in a browser, abusing over a dozen techniques. Its goal is to identify users after they've removed standard cookies and other privacy data such as Flash cookies (LSOs), HTML5 storage, SilverLight storage, and others.
JavaScript
4,320
star
3

magspoof

A portable device that can spoof/emulate any magnetic stripe, credit card or hotel card "wirelessly", even on standard magstripe (non-NFC/RFID) readers. It can disable Chip&PIN and predict AMEX card numbers with 100% accuracy.
C
3,787
star
4

pwnat

The only tool/technique to punch holes through firewalls/NATs where multiple clients & server can be behind separate NATs without any 3rd party involvement. Pwnat is a newly developed technique, exploiting a property of NAT translation tables, with no 3rd party, port forwarding, DMZ, DNS, router admin requirements, STUN/TURN/UPnP/ICE, or spoofing.
C
2,846
star
5

slipstream

NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victimโ€™s NAT/firewall, just by anyone on the victim's network visiting a website
Perl
1,865
star
6

skyjack

A drone engineered to autonomously seek out, hack, and wirelessly take full control over any other Parrot or 3DR drones within wireless or flying distance, creating an army of zombie drones under your control.
JavaScript
1,636
star
7

usbdriveby

USBdriveby exploits the trust of USB devices by emulating an HID keyboard and mouse, installing a cross-platform firewall-evading backdoor, and rerouting DNS within seconds of plugging it in.
Arduino
1,223
star
8

keysweeper

KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
Eagle
1,076
star
9

opensesame

OpenSesame attacks wireless garages and can open most fixed-code garages and gates in seconds using a Mattel toy
C
818
star
10

samytools

Simple tools to make reverse engineering and console cowboying easier, primarily by data translation and manipulation + file handle piping. Mostly *nix tools with an emphasis on macOS.
Perl
548
star
11

webscan

Browser-based network scanner & local-IP detection
JavaScript
411
star
12

proxygambit

Anonymize and fracture network traffic/Internet access over a point-to-point wireless link or through TCP->GSM->wifi tunnel (advanced resurrection of ProxyHam)
Arduino
349
star
13

combobreaker

Motorized, portable, 3D printed, Arduino-based combination lock cracker
C++
232
star
14

dingdong

Digital Ding Dong Ditch -- RTL-SDR + Arduino + GSM/SMS/FONA + RF + GQRX to hack a wireless doorbell from a text message
C++
229
star
15

frisky

Instruments to assist in binary application reversing and augmentation, geared towards walled gardens like iOS and macOS
C++
197
star
16

glitchsink

Voltage glitcher to bypass instructions/bootloader protections *without* target modification
C++
114
star
17

jiagra

Javascript/Website Performance Enhancement
JavaScript
107
star
18

easel-driver

Easel driver for Linux, Mac, Windows, ARM, Raspberry Pi, Intel, FTDI, CH340, CH341, CP210x, FTDI clones, local, and remote access to GRBL-based CNC controllers
Shell
92
star
19

myo-osc

OSC bridge for the Thalmic Myo gesture control armband (cross-platform)
C++
80
star
20

BPL

The Blind Public License is a restrictive license that does not allow any person to read, view, interpret, emulate, debug, disassemble, reverse engineer, or execute ("Observing") any included code, schematics or engineering diagrams (the "Technology").
57
star
21

sqlpp

feature-rich, multi-database interfacing, multi-connection, colorful console-based SQL client
Perl
53
star
22

samyk

50
star
23

bgrid

wireless balloon LED network w/ATtiny24 + nRF24L01+ (PCB + firmware + TouchDesigner)
C++
46
star
24

buspirate

Bus Pirate (cross-platform, cleaned up for OS X)
C
42
star
25

crak

Crash Royale Attack Kit
JavaScript
39
star
26

openrTMS

Open rTMS (Transcranial Magnetic Stimulation)
C++
25
star
27

amazonshelper

TamperMonkey script (browser extension) for Amazon to add price by volume for materials and to hide useless UI elements
JavaScript
24
star
28

lcventilator

Low cost ventilator based on Dr. Jeffrey Ebin's design
C++
21
star
29

specs

Public specifications for easy accessibility
18
star
30

pinning

#PINNING is a browser extension (currently TamperMonkey script) to improve Pinterest's desktop browsing UX
JavaScript
15
star
31

glitchisnk

Voltage glitcher to bypass instructions/bootloader protections without target modification
14
star
32

microscopy

files for (ฮผ)scope projects
11
star
33

motoaudio

Inspecting the Moto Audio application running on Motorola Android devices
9
star
34

testimg

chrome blocks downloading images from my github :(
9
star
35

openraman

Low cost, high performance open source Raman spectrometer
C++
5
star
36

mains-logs

log files for mains project
2
star
37

mains

monitoring mains line voltage
Perl
1
star