Solved

Lightweight freeware to test a website / URL for clickjacking

Posted on 2014-11-18
10
887 Views
Last Modified: 2014-12-12
Not looking for Wireshark type of scanner which is rather large & memory hungry.  Not Nessus as I
don't have a licence.

Kindly provide links that I could download freeware to scan if a website is vulnerable to clickjacking?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 64

Expert Comment

by:btan
ID: 40451513
maybe tool such as below

(may not be supporting Chrome/Safari, do see the readme.txt, not much doc though)
http://www.contextis.co.uk/services/research/clickjacking-tool/

Clickjack reveal FF plugin
https://addons.mozilla.org/en-US/firefox/addon/no-clickjacking/

standalone test html though
https://cirt.net/clickjack-test
0
 

Author Comment

by:sunhux
ID: 40452864
https://cirt.net/clickjack-test

For this link, is the tool   Nikto, Davtest or CMS Explorer.
Does it run on Windows?
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 40453929
they do not perform clickjacking per se, nonetheless, here as below - they are PERL based so OS with win PERL will have Windows supported. The last two did not have readily win package though...you probably need to do further digging
Nikto2 - http://projects.giacomodrago.com/nikto-win/
DAVtest - https://code.google.com/p/davtest/downloads/list
CMS Explorer - https://code.google.com/p/cms-explorer/downloads/list
0
The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

 

Author Comment

by:sunhux
ID: 40459569
Looks like Davtest is missing something despite that ActivePerl is
installed on my Win XP with ACtivePerl's directory in the path:

D:\vaScanClickj\davtest-1.0>davtest.pl google.com
Can't locate HTTP/DAV.pm in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .)
 at D:\vaScanClickj\davtest-1.0\davtest.pl line 30.
BEGIN failed--compilation aborted at D:\vaScanClickj\davtest-1.0\davtest.pl line
 30.

I'll try something else
0
 

Author Comment

by:sunhux
ID: 40459572
https://cirt.net/clickjack-test

When I click on "Other Codes" ==> "ClickJacking" or "Site Crunch",
nothing returns.  Have to try other sites
0
 

Author Comment

by:sunhux
ID: 40460724
Nikto2 scans more than 400+ vulnerabilities & I can't select to scan only
for Clickjacking: this will trigger security alerts & the scan may be blocked
before I get a chance.

no Joy with davtest due to the Perl error.

I may need help with this lightweight tool to scan: is there anything
within davtest perl that can be customized to just scan clickjacking?

Any other ready-to-run scanner will be ideal as I'll need to show
the scan results by Monday noon
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 40461146
For nikto, I saw command line option using -T (-Tuning) option stating will control the test that Nikto will use against a target. By default, all tests are performed. If any options are specified, only those tests will be performed.
https://cirt.net/nikto2-docs/options.html
In the default mode, if -T is invoked only the test type(s) specified will be executed. For example, only the tests for "Remote file retrieval" and "Command execution" can performed against the target:

perl nikto.pl -h 192.168.0.1 -T 58
If an "x" is passed to -T then this will negate all tests of types following the x. This is useful where a test may check several different types of exploit. For example:

perl nikto.pl -h 192.168.0.1 -T 58xb
did not manage to drill into the windows binary though..Also probably has to play around which option is specifc to clickjacking but my guess is the Injection (4). Here is one on the setup (not windows) though in case you needed that. http://www.tecmint.com/nikto-a-web-application-vulnerability-and-cgi-scanner-for-web-servers/
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 40461156
For the DAVtest, looks like the error is reported as well in the post - stating to to install the HTTP::DAV module (from http://www.cpan.org/modules/INSTALL.html)
http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
0
 

Author Comment

by:sunhux
ID: 40462452
Got the following html page & just by launching it (after amending the URL
in it), it will be able to tell if the URL is vulnerable.  Does this really work?

<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <p>URL is vulnerable to clickjacking if u can see it below; if u can see only this line, then it's not vulnerable </p>
     <iframe src="http://www.xxx.com.au" width="500" height="500"></iframe>
   </body>
</html>
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40463596
yes it should as already mentioned earlier in the OWASP cheatsheet link
If you can see both the text "Website is vulnerable to clickjacking!" at the top of the page and your target web page successfully loaded into the frame, then your site is vulnerable and has no type of protection against Clickjacking attacks.

There is another HTML tester mentioned earlier which is just an HTML page to load your chosen target in a browser and then overlay content over the top
0

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article was originally published on Monitis Blog, you can check it here . If you have responsibility for software in production, I bet you’d like to know more about it. I don’t mean that you’d like an extra peek into the bowels of the sourc…
The viewer will learn how to create multiple layers to apply various filters and how to delete areas from each layer’s filter.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question