Solved

Lightweight freeware to test a website / URL for clickjacking

Posted on 2014-11-18
10
862 Views
Last Modified: 2014-12-12
Not looking for Wireshark type of scanner which is rather large & memory hungry.  Not Nessus as I
don't have a licence.

Kindly provide links that I could download freeware to scan if a website is vulnerable to clickjacking?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 63

Expert Comment

by:btan
ID: 40451513
maybe tool such as below

(may not be supporting Chrome/Safari, do see the readme.txt, not much doc though)
http://www.contextis.co.uk/services/research/clickjacking-tool/

Clickjack reveal FF plugin
https://addons.mozilla.org/en-US/firefox/addon/no-clickjacking/

standalone test html though
https://cirt.net/clickjack-test
0
 

Author Comment

by:sunhux
ID: 40452864
https://cirt.net/clickjack-test

For this link, is the tool   Nikto, Davtest or CMS Explorer.
Does it run on Windows?
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40453929
they do not perform clickjacking per se, nonetheless, here as below - they are PERL based so OS with win PERL will have Windows supported. The last two did not have readily win package though...you probably need to do further digging
Nikto2 - http://projects.giacomodrago.com/nikto-win/
DAVtest - https://code.google.com/p/davtest/downloads/list
CMS Explorer - https://code.google.com/p/cms-explorer/downloads/list
0
Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

 

Author Comment

by:sunhux
ID: 40459569
Looks like Davtest is missing something despite that ActivePerl is
installed on my Win XP with ACtivePerl's directory in the path:

D:\vaScanClickj\davtest-1.0>davtest.pl google.com
Can't locate HTTP/DAV.pm in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .)
 at D:\vaScanClickj\davtest-1.0\davtest.pl line 30.
BEGIN failed--compilation aborted at D:\vaScanClickj\davtest-1.0\davtest.pl line
 30.

I'll try something else
0
 

Author Comment

by:sunhux
ID: 40459572
https://cirt.net/clickjack-test

When I click on "Other Codes" ==> "ClickJacking" or "Site Crunch",
nothing returns.  Have to try other sites
0
 

Author Comment

by:sunhux
ID: 40460724
Nikto2 scans more than 400+ vulnerabilities & I can't select to scan only
for Clickjacking: this will trigger security alerts & the scan may be blocked
before I get a chance.

no Joy with davtest due to the Perl error.

I may need help with this lightweight tool to scan: is there anything
within davtest perl that can be customized to just scan clickjacking?

Any other ready-to-run scanner will be ideal as I'll need to show
the scan results by Monday noon
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40461146
For nikto, I saw command line option using -T (-Tuning) option stating will control the test that Nikto will use against a target. By default, all tests are performed. If any options are specified, only those tests will be performed.
https://cirt.net/nikto2-docs/options.html
In the default mode, if -T is invoked only the test type(s) specified will be executed. For example, only the tests for "Remote file retrieval" and "Command execution" can performed against the target:

perl nikto.pl -h 192.168.0.1 -T 58
If an "x" is passed to -T then this will negate all tests of types following the x. This is useful where a test may check several different types of exploit. For example:

perl nikto.pl -h 192.168.0.1 -T 58xb
did not manage to drill into the windows binary though..Also probably has to play around which option is specifc to clickjacking but my guess is the Injection (4). Here is one on the setup (not windows) though in case you needed that. http://www.tecmint.com/nikto-a-web-application-vulnerability-and-cgi-scanner-for-web-servers/
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40461156
For the DAVtest, looks like the error is reported as well in the post - stating to to install the HTTP::DAV module (from http://www.cpan.org/modules/INSTALL.html)
http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
0
 

Author Comment

by:sunhux
ID: 40462452
Got the following html page & just by launching it (after amending the URL
in it), it will be able to tell if the URL is vulnerable.  Does this really work?

<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <p>URL is vulnerable to clickjacking if u can see it below; if u can see only this line, then it's not vulnerable </p>
     <iframe src="http://www.xxx.com.au" width="500" height="500"></iframe>
   </body>
</html>
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40463596
yes it should as already mentioned earlier in the OWASP cheatsheet link
If you can see both the text "Website is vulnerable to clickjacking!" at the top of the page and your target web page successfully loaded into the frame, then your site is vulnerable and has no type of protection against Clickjacking attacks.

There is another HTML tester mentioned earlier which is just an HTML page to load your chosen target in a browser and then overlay content over the top
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Password manager for small company 3 56
how to export quicken data 2 24
PDF edit software 2 61
Ping to management is timing out. 6 43
All of the resources available today make learning a new digital media easier than ever-- if you know where to begin. This is a clear, simple guide to a few of the basic digital art mediums and how to begin learning them on your own.
Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
The viewer will learn how to set up a document for the web and print and the recommended PPI for printing.
Using Adobe Premiere Pro, the viewer will learn how to set up a sequence with proper settings, importing pictures, rendering, and exporting the finished product.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question