Solved

Lightweight freeware to test a website / URL for clickjacking

Posted on 2014-11-18
10
690 Views
Last Modified: 2014-12-12
Not looking for Wireshark type of scanner which is rather large & memory hungry.  Not Nessus as I
don't have a licence.

Kindly provide links that I could download freeware to scan if a website is vulnerable to clickjacking?
0
Comment
Question by:sunhux
  • 5
  • 5
10 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40451513
maybe tool such as below

(may not be supporting Chrome/Safari, do see the readme.txt, not much doc though)
http://www.contextis.co.uk/services/research/clickjacking-tool/

Clickjack reveal FF plugin
https://addons.mozilla.org/en-US/firefox/addon/no-clickjacking/

standalone test html though
https://cirt.net/clickjack-test
0
 

Author Comment

by:sunhux
ID: 40452864
https://cirt.net/clickjack-test

For this link, is the tool   Nikto, Davtest or CMS Explorer.
Does it run on Windows?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40453929
they do not perform clickjacking per se, nonetheless, here as below - they are PERL based so OS with win PERL will have Windows supported. The last two did not have readily win package though...you probably need to do further digging
Nikto2 - http://projects.giacomodrago.com/nikto-win/
DAVtest - https://code.google.com/p/davtest/downloads/list
CMS Explorer - https://code.google.com/p/cms-explorer/downloads/list
0
 

Author Comment

by:sunhux
ID: 40459569
Looks like Davtest is missing something despite that ActivePerl is
installed on my Win XP with ACtivePerl's directory in the path:

D:\vaScanClickj\davtest-1.0>davtest.pl google.com
Can't locate HTTP/DAV.pm in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .)
 at D:\vaScanClickj\davtest-1.0\davtest.pl line 30.
BEGIN failed--compilation aborted at D:\vaScanClickj\davtest-1.0\davtest.pl line
 30.

I'll try something else
0
 

Author Comment

by:sunhux
ID: 40459572
https://cirt.net/clickjack-test

When I click on "Other Codes" ==> "ClickJacking" or "Site Crunch",
nothing returns.  Have to try other sites
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:sunhux
ID: 40460724
Nikto2 scans more than 400+ vulnerabilities & I can't select to scan only
for Clickjacking: this will trigger security alerts & the scan may be blocked
before I get a chance.

no Joy with davtest due to the Perl error.

I may need help with this lightweight tool to scan: is there anything
within davtest perl that can be customized to just scan clickjacking?

Any other ready-to-run scanner will be ideal as I'll need to show
the scan results by Monday noon
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40461146
For nikto, I saw command line option using -T (-Tuning) option stating will control the test that Nikto will use against a target. By default, all tests are performed. If any options are specified, only those tests will be performed.
https://cirt.net/nikto2-docs/options.html
In the default mode, if -T is invoked only the test type(s) specified will be executed. For example, only the tests for "Remote file retrieval" and "Command execution" can performed against the target:

perl nikto.pl -h 192.168.0.1 -T 58
If an "x" is passed to -T then this will negate all tests of types following the x. This is useful where a test may check several different types of exploit. For example:

perl nikto.pl -h 192.168.0.1 -T 58xb
did not manage to drill into the windows binary though..Also probably has to play around which option is specifc to clickjacking but my guess is the Injection (4). Here is one on the setup (not windows) though in case you needed that. http://www.tecmint.com/nikto-a-web-application-vulnerability-and-cgi-scanner-for-web-servers/
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40461156
For the DAVtest, looks like the error is reported as well in the post - stating to to install the HTTP::DAV module (from http://www.cpan.org/modules/INSTALL.html)
http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
0
 

Author Comment

by:sunhux
ID: 40462452
Got the following html page & just by launching it (after amending the URL
in it), it will be able to tell if the URL is vulnerable.  Does this really work?

<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <p>URL is vulnerable to clickjacking if u can see it below; if u can see only this line, then it's not vulnerable </p>
     <iframe src="http://www.xxx.com.au" width="500" height="500"></iframe>
   </body>
</html>
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40463596
yes it should as already mentioned earlier in the OWASP cheatsheet link
If you can see both the text "Website is vulnerable to clickjacking!" at the top of the page and your target web page successfully loaded into the frame, then your site is vulnerable and has no type of protection against Clickjacking attacks.

There is another HTML tester mentioned earlier which is just an HTML page to load your chosen target in a browser and then overlay content over the top
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If your app took Google’s lash recently, here are the 5 most likely reasons.
This video demonstrates basic masking and how to edit the mask to reveal the desired image.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now