Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Lightweight freeware to test a website / URL for clickjacking

Posted on 2014-11-18
10
Medium Priority
?
1,125 Views
Last Modified: 2014-12-12
Not looking for Wireshark type of scanner which is rather large & memory hungry.  Not Nessus as I
don't have a licence.

Kindly provide links that I could download freeware to scan if a website is vulnerable to clickjacking?
0
Comment
Question by:sunhux
  • 5
  • 5
10 Comments
 
LVL 65

Expert Comment

by:btan
ID: 40451513
maybe tool such as below

(may not be supporting Chrome/Safari, do see the readme.txt, not much doc though)
http://www.contextis.co.uk/services/research/clickjacking-tool/

Clickjack reveal FF plugin
https://addons.mozilla.org/en-US/firefox/addon/no-clickjacking/

standalone test html though
https://cirt.net/clickjack-test
0
 

Author Comment

by:sunhux
ID: 40452864
https://cirt.net/clickjack-test

For this link, is the tool   Nikto, Davtest or CMS Explorer.
Does it run on Windows?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40453929
they do not perform clickjacking per se, nonetheless, here as below - they are PERL based so OS with win PERL will have Windows supported. The last two did not have readily win package though...you probably need to do further digging
Nikto2 - http://projects.giacomodrago.com/nikto-win/
DAVtest - https://code.google.com/p/davtest/downloads/list
CMS Explorer - https://code.google.com/p/cms-explorer/downloads/list
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:sunhux
ID: 40459569
Looks like Davtest is missing something despite that ActivePerl is
installed on my Win XP with ACtivePerl's directory in the path:

D:\vaScanClickj\davtest-1.0>davtest.pl google.com
Can't locate HTTP/DAV.pm in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .)
 at D:\vaScanClickj\davtest-1.0\davtest.pl line 30.
BEGIN failed--compilation aborted at D:\vaScanClickj\davtest-1.0\davtest.pl line
 30.

I'll try something else
0
 

Author Comment

by:sunhux
ID: 40459572
https://cirt.net/clickjack-test

When I click on "Other Codes" ==> "ClickJacking" or "Site Crunch",
nothing returns.  Have to try other sites
0
 

Author Comment

by:sunhux
ID: 40460724
Nikto2 scans more than 400+ vulnerabilities & I can't select to scan only
for Clickjacking: this will trigger security alerts & the scan may be blocked
before I get a chance.

no Joy with davtest due to the Perl error.

I may need help with this lightweight tool to scan: is there anything
within davtest perl that can be customized to just scan clickjacking?

Any other ready-to-run scanner will be ideal as I'll need to show
the scan results by Monday noon
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40461146
For nikto, I saw command line option using -T (-Tuning) option stating will control the test that Nikto will use against a target. By default, all tests are performed. If any options are specified, only those tests will be performed.
https://cirt.net/nikto2-docs/options.html
In the default mode, if -T is invoked only the test type(s) specified will be executed. For example, only the tests for "Remote file retrieval" and "Command execution" can performed against the target:

perl nikto.pl -h 192.168.0.1 -T 58
If an "x" is passed to -T then this will negate all tests of types following the x. This is useful where a test may check several different types of exploit. For example:

perl nikto.pl -h 192.168.0.1 -T 58xb
did not manage to drill into the windows binary though..Also probably has to play around which option is specifc to clickjacking but my guess is the Injection (4). Here is one on the setup (not windows) though in case you needed that. http://www.tecmint.com/nikto-a-web-application-vulnerability-and-cgi-scanner-for-web-servers/
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40461156
For the DAVtest, looks like the error is reported as well in the post - stating to to install the HTTP::DAV module (from http://www.cpan.org/modules/INSTALL.html)
http://security.sunera.com/2010/04/davtest-quickly-test-exploit-webdav.html
0
 

Author Comment

by:sunhux
ID: 40462452
Got the following html page & just by launching it (after amending the URL
in it), it will be able to tell if the URL is vulnerable.  Does this really work?

<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <p>URL is vulnerable to clickjacking if u can see it below; if u can see only this line, then it's not vulnerable </p>
     <iframe src="http://www.xxx.com.au" width="500" height="500"></iframe>
   </body>
</html>
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40463596
yes it should as already mentioned earlier in the OWASP cheatsheet link
If you can see both the text "Website is vulnerable to clickjacking!" at the top of the page and your target web page successfully loaded into the frame, then your site is vulnerable and has no type of protection against Clickjacking attacks.

There is another HTML tester mentioned earlier which is just an HTML page to load your chosen target in a browser and then overlay content over the top
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Choosing the right mix of apps is very much necessary for CPAs for making the most of the latest technology through which they can boost their growth.
In today’s time where quality is an essential factor all over the world, software testing and effective QA (Quality Assurance) is an all-important element for any business to ensure less risk for an end product. A good software testing company deliv…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question