Lightweight freeware to test a website / URL for clickjacking

Not looking for Wireshark type of scanner which is rather large & memory hungry.  Not Nessus as I
don't have a licence.

Kindly provide links that I could download freeware to scan if a website is vulnerable to clickjacking?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
maybe tool such as below

(may not be supporting Chrome/Safari, do see the readme.txt, not much doc though)
http://www.contextis.co.uk/services/research/clickjacking-tool/

Clickjack reveal FF plugin
https://addons.mozilla.org/en-US/firefox/addon/no-clickjacking/

standalone test html though
https://cirt.net/clickjack-test
0
sunhuxAuthor Commented:
https://cirt.net/clickjack-test

For this link, is the tool   Nikto, Davtest or CMS Explorer.
Does it run on Windows?
0
btanExec ConsultantCommented:
they do not perform clickjacking per se, nonetheless, here as below - they are PERL based so OS with win PERL will have Windows supported. The last two did not have readily win package though...you probably need to do further digging
Nikto2 - http://projects.giacomodrago.com/nikto-win/
DAVtest - https://code.google.com/p/davtest/downloads/list
CMS Explorer - https://code.google.com/p/cms-explorer/downloads/list
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

sunhuxAuthor Commented:
Looks like Davtest is missing something despite that ActivePerl is
installed on my Win XP with ACtivePerl's directory in the path:

D:\vaScanClickj\davtest-1.0>davtest.pl google.com
Can't locate HTTP/DAV.pm in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .)
 at D:\vaScanClickj\davtest-1.0\davtest.pl line 30.
BEGIN failed--compilation aborted at D:\vaScanClickj\davtest-1.0\davtest.pl line
 30.

I'll try something else
0
sunhuxAuthor Commented:
https://cirt.net/clickjack-test

When I click on "Other Codes" ==> "ClickJacking" or "Site Crunch",
nothing returns.  Have to try other sites
0
sunhuxAuthor Commented:
Nikto2 scans more than 400+ vulnerabilities & I can't select to scan only
for Clickjacking: this will trigger security alerts & the scan may be blocked
before I get a chance.

no Joy with davtest due to the Perl error.

I may need help with this lightweight tool to scan: is there anything
within davtest perl that can be customized to just scan clickjacking?

Any other ready-to-run scanner will be ideal as I'll need to show
the scan results by Monday noon
0
btanExec ConsultantCommented:
For nikto, I saw command line option using -T (-Tuning) option stating will control the test that Nikto will use against a target. By default, all tests are performed. If any options are specified, only those tests will be performed.
https://cirt.net/nikto2-docs/options.html
In the default mode, if -T is invoked only the test type(s) specified will be executed. For example, only the tests for "Remote file retrieval" and "Command execution" can performed against the target:

perl nikto.pl -h 192.168.0.1 -T 58
If an "x" is passed to -T then this will negate all tests of types following the x. This is useful where a test may check several different types of exploit. For example:

perl nikto.pl -h 192.168.0.1 -T 58xb
did not manage to drill into the windows binary though..Also probably has to play around which option is specifc to clickjacking but my guess is the Injection (4). Here is one on the setup (not windows) though in case you needed that. http://www.tecmint.com/nikto-a-web-application-vulnerability-and-cgi-scanner-for-web-servers/
0
btanExec ConsultantCommented:
For the DAVtest, looks like the error is reported as well in the post - stating to to install the HTTP::DAV module (from http://www.cpan.org/modules/INSTALL.html)
http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
0
sunhuxAuthor Commented:
Got the following html page & just by launching it (after amending the URL
in it), it will be able to tell if the URL is vulnerable.  Does this really work?

<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <p>URL is vulnerable to clickjacking if u can see it below; if u can see only this line, then it's not vulnerable </p>
     <iframe src="http://www.xxx.com.au" width="500" height="500"></iframe>
   </body>
</html>
0
btanExec ConsultantCommented:
yes it should as already mentioned earlier in the OWASP cheatsheet link
If you can see both the text "Website is vulnerable to clickjacking!" at the top of the page and your target web page successfully loaded into the frame, then your site is vulnerable and has no type of protection against Clickjacking attacks.

There is another HTML tester mentioned earlier which is just an HTML page to load your chosen target in a browser and then overlay content over the top
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.