Burp Clickbandit- BurpSuite’s Clickjacking Tool

While using BurpSuite 1.7.03, the click of my mouse accidentally(luckily though!!) hits the BurpSuite Documentation from where I notice “Burp Clickbandit“.

So, what is Burp Clickbandit? Burp’s documentation states:

Burp Clickbandit is a tool for generating clickjacking attacks. When you have found a web page that may be vulnerable to clickjacking, you can use Burp Clickbandit to create an attack, and confirm that the vulnerability can be successfully exploited.

and PortSwigger’s blog states:

Manually crafting a proof of concept attack can mean laborious hours of offset-tweaking, so we’ve just released Burp Clickbandit, a point-and-click tool for generating clickjacking attacks.

Clickjacking or “UI redress attack” is an attack wherein an attacker lures victim onto clicking on attacker’s page without victim’s consent as only the crafted website is visible to the victim (which is superimposed over attacker’s page!).

Burp Clickbandit is a tool which allows to generate Proof of Concepts quickly by detecting the HTML elements(<p>,<img>,<div> etc.) when clicked upon and using their dimensions and position to generate the relevant click area. Further, it also uses the mouse’s x and y coordinates along with zooming into the object to provide click area in cases where iframe or flash objects are encountered to prevent inaccuracy.

1

Burp Clickbandit

The tool contains following features as quoted by PortSwigger:

  • Supports multi-click attacks
  • Written in pure JavaScript, and trivial to deploy
  • Supports transparency, clearly showing the attack mechanics
  • Works on most websites!

Inorder to execute this tool you need to follow below mentioned instructions:

  1.  Go to Burp Tab –> Burp Clickbandit.
  2. Click Copy Clickbandit to clipboard.
  3. Open the website in the browser where you want to execute this attack (lets say http://www.certifiedhacker.com).
  4. Open Console  in Inspect Element of the browser.
  5. Now, paste the clipboard content and execute it inside Console.

Now, you are executing this tool.

You will encounter two modes while using this tool.

  1. Record Mode: Just when you execute the script into the browser’s console at the target website, the script’s Iframe will load the target website(www.certifiedhacker.com) and will ask you to record the click (or string of clicks) over HTML elements. This step plans the strategy on how the victim’s click(s) will be hijacked.
  2. Review Mode: After selecting the desired objects where the action has to be performed, the tool places click over the superimposed target website(www.certifiedhacker.com) and when victim clicks the desired click area, the attack is successful. see slideshow for reference.

The following commands are available in review mode:

  • The + and – buttons can be used to zoom in and out.
  • The “toggle transparency” button lets you show or hide the original page UI.
  • The “reset” button restores the generated attack, as it was before any further clicks were made.
  • The “save” button saves an HTML file containing the attack. This can be used as a real-world exploit of the clickjacking vulnerability.
  • You can use the keyboard arrow keys to reposition the attack UI if is not correctly aligned with the original page UI.

This slideshow requires JavaScript.

Hope these features improves your experience of using the awesome Burp Suite tool. Please let me know if I can improve any part of this technical write up.

 

 

Advertisements

Avoiding Common Issues with Burp Suite

This post describes key points on configuration of Burp Suite with proper environment so that interception of packets can be done successfully.

First of all you have to determine what version of Burp Suite you are going to install.(We will be talking about 1.7.05 in this post)

Before running the Jar file you need Java Runtime Enviroment (JRE) 1.7 or less(might work but not recommended) installed in OS.

Jar file can be executed directly by double clicking or you can go to the file location using CMD and use the following command:

java -jar Burploader.jar

Here we are assuming that you are familiar with basics of configuring Burp Suite with browser to intercept.

Now, there are lots of issues which are faced by users while intercepting websites on Browser using SSL such as:

  • The client failed to negotiate an SSL connection to [ … ] Received fatal alert: unknown_ca
  • Secure Connection Failed
  • Handshake Issues – javax.net.ssl.SSLException: Received fatal alert: handshake_failure
  • Weak ephemeral Diffie-Hellman key- sl_error_weak_server_ephemeral_dh_key

The above issues could be mitigated by using following possible solutions

  1. Using compatible JRE version (Most critical)
  2. Installing Burp’s CA Certificate into browser Certificate Installation Guide
  3. Setting browser to use same proxy with burpsite.(Use local host in browser and burp proxy listener)
  4. Configure SSL Negotiation Tab under Project Options properly.
    1. You can check “Allow unsafe SSL negotiations”
    2. You can check “Automatically select compatible SSL parameters on negotiations failure”
  5. If you are facing Diffie Hellman key issue you can go to about:config tab and set values to False for following parameters

security.ssl3.dhe_rsa_aes_128_sha

security.ssl3.dhe_rsa_aes_256_sha

Hope these solutions improve your experience of using the awesome Burp Suite tool. Please let me know if I can improve any part of this technical write up or consolidate more solutions for day to day issues with Burp.