Burp Clickbandit- BurpSuite’s Clickjacking Tool

While using BurpSuite 1.7.03, the click of my mouse accidentally(luckily though!!) hits the BurpSuite Documentation from where I notice “Burp Clickbandit“.

So, what is Burp Clickbandit? Burp’s documentation states:

Burp Clickbandit is a tool for generating clickjacking attacks. When you have found a web page that may be vulnerable to clickjacking, you can use Burp Clickbandit to create an attack, and confirm that the vulnerability can be successfully exploited.

and PortSwigger’s blog states:

Manually crafting a proof of concept attack can mean laborious hours of offset-tweaking, so we’ve just released Burp Clickbandit, a point-and-click tool for generating clickjacking attacks.

Clickjacking or “UI redress attack” is an attack wherein an attacker lures victim onto clicking on attacker’s page without victim’s consent as only the crafted website is visible to the victim (which is superimposed over attacker’s page!).

Burp Clickbandit is a tool which allows to generate Proof of Concepts quickly by detecting the HTML elements(<p>,<img>,<div> etc.) when clicked upon and using their dimensions and position to generate the relevant click area. Further, it also uses the mouse’s x and y coordinates along with zooming into the object to provide click area in cases where iframe or flash objects are encountered to prevent inaccuracy.


Burp Clickbandit

The tool contains following features as quoted by PortSwigger:

  • Supports multi-click attacks
  • Written in pure JavaScript, and trivial to deploy
  • Supports transparency, clearly showing the attack mechanics
  • Works on most websites!

Inorder to execute this tool you need to follow below mentioned instructions:

  1.  Go to Burp Tab –> Burp Clickbandit.
  2. Click Copy Clickbandit to clipboard.
  3. Open the website in the browser where you want to execute this attack (lets say http://www.certifiedhacker.com).
  4. Open Console  in Inspect Element of the browser.
  5. Now, paste the clipboard content and execute it inside Console.

Now, you are executing this tool.

You will encounter two modes while using this tool.

  1. Record Mode: Just when you execute the script into the browser’s console at the target website, the script’s Iframe will load the target website(www.certifiedhacker.com) and will ask you to record the click (or string of clicks) over HTML elements. This step plans the strategy on how the victim’s click(s) will be hijacked.
  2. Review Mode: After selecting the desired objects where the action has to be performed, the tool places click over the superimposed target website(www.certifiedhacker.com) and when victim clicks the desired click area, the attack is successful. see slideshow for reference.

The following commands are available in review mode:

  • The + and – buttons can be used to zoom in and out.
  • The “toggle transparency” button lets you show or hide the original page UI.
  • The “reset” button restores the generated attack, as it was before any further clicks were made.
  • The “save” button saves an HTML file containing the attack. This can be used as a real-world exploit of the clickjacking vulnerability.
  • You can use the keyboard arrow keys to reposition the attack UI if is not correctly aligned with the original page UI.

This slideshow requires JavaScript.

Hope these features improves your experience of using the awesome Burp Suite tool. Please let me know if I can improve any part of this technical write up.




Avoiding Common Issues with Burp Suite

This post describes key points on configuration of Burp Suite with proper environment so that interception of packets can be done successfully.

First of all you have to determine what version of Burp Suite you are going to install.(We will be talking about 1.7.05 in this post)

Before running the Jar file you need Java Runtime Enviroment (JRE) 1.7 or less(might work but not recommended) installed in OS.

Jar file can be executed directly by double clicking or you can go to the file location using CMD and use the following command:

java -jar Burploader.jar

Here we are assuming that you are familiar with basics of configuring Burp Suite with browser to intercept.

Now, there are lots of issues which are faced by users while intercepting websites on Browser using SSL such as:

  • The client failed to negotiate an SSL connection to [ … ] Received fatal alert: unknown_ca
  • Secure Connection Failed
  • Handshake Issues – javax.net.ssl.SSLException: Received fatal alert: handshake_failure
  • Weak ephemeral Diffie-Hellman key- sl_error_weak_server_ephemeral_dh_key

The above issues could be mitigated by using following possible solutions

  1. Using compatible JRE version (Most critical)
  2. Installing Burp’s CA Certificate into browser Certificate Installation Guide
  3. Setting browser to use same proxy with burpsite.(Use local host in browser and burp proxy listener)
  4. Configure SSL Negotiation Tab under Project Options properly.
    1. You can check “Allow unsafe SSL negotiations”
    2. You can check “Automatically select compatible SSL parameters on negotiations failure”
  5. If you are facing Diffie Hellman key issue you can go to about:config tab and set values to False for following parameters



Hope these solutions improve your experience of using the awesome Burp Suite tool. Please let me know if I can improve any part of this technical write up or consolidate more solutions for day to day issues with Burp.


How to crash Chrome Tab?? Aw, Snap! Vulnerability

In this post we are going to discuss a very simple, yet destructive vulnerability which has been recently found by web developer “Json Blatt”.

The vulnerability affects Chrome  version 41  on Windows, Ubuntu and OS X platforms. Although there are mixed reports but still we are successful in testing this vulnerability using Chrome version 41.0.2272.118 m and Windows 7 Ultimate Edition.

This vulnerability is used to crash the Chrome browser by a long/malformed URL in content of a user-submitted post. The same can be achieved by adding in comments section of HTML page.

The developer confirms that only (http:// ) works instead of (https:// ) . Also, If we try to do same through (file:// ), it does not work as the crash only occurs when accessing the link through a webserver.

The exploit works since the Chrome version 41 tends to prefetch data for the links which are present inside a page. Whenever a page loads, all the URL’s present inside a page are processed and there is a DNS lookup of those domains so that they load faster if user clicks on them.

Lets replicate the issue by making a dummy page, hosting it on own server(XAMPP in our case!) and opening it in Chrome version 41 browser.

1. We made a PHP Comment page which has POST parameters namely Name, Email, Website, Comment, Gender. The page shows that there was a normal comment and the input is reflected back to the page.

chrome awsnap bug1

2. Now, Lets enter a random long text in the <a href> tag inside comment section.

chrome awsnap bug2

3. Click on Submit button and see what happens.

chrome awsnap bug3

4. The crash happens successfully and the page is not accessible in Chrome. Lets test it in Firefox.

chrome awsnap bug4

Therefore the vulnerability lies in Chrome source code for kMaxDnsHostnameLengthHostname and DNS name. Whenever a longer string is passed by the page renderer for hostname lookup component, the  component gives an error when it compares hostname length with kMaxDnsHostnameLengthHostnameTherefore the “Aw Snap!” error occurs.

The fix has been carried out by Chrome for later versions 42,43 by restricting long hostnames to be passed for lookup.

You can test this vulnerability by clicking on this Reddit link or another link. (At your own risk!!)

Net Neutrality

Using Airtel??
Flipkart is free but Snapdeal is chargeable separately.
Wanna watch some viral vids? But only Youtube is free and fast and others(Dailymotion
or Vimeo) buffer slow!!
Want to use Skype.. Ohh..!! You need to buy premium pack.

What is Net Neutrality?

Net Neutrality is the principle which concerns with the internet being provided to the users.
The term emphasizes “Neutrality” which means that the service providers or the ISP’s
should allow access to all the content on the internet to the public without limitations. The
ISP’s should not favour any particular product or the website in any form. All the data
should be treated equally no matter how and when it is created.

Why should anyone care?
In all the form of communication which is present today be it Newspapers, Magazines,
TV, Radio or any other, Internet is known for its openness and freedom. Net Neutrality
decides that there is free and fair access to every content on the Internet.
No ISP should decide on which website should be given preference. User cannot be
forced to open non privileged website with less speed, the ISP cannot deny the user to
open the non-privileged websites.

What’s up in India?
Due to lobbying(the act of attempting to influence decisions made by officials in the
government, most often legislators or members of regulatory agencies) by the ISP or the
telecom providers like Airtel and Vodafone, TRAI is going to allow operators to hurt
Neutrality. Due to which operators will be able to extort more money by blocking apps
and websites. Thanks to our “Digital India” campaign..(which i think the govt. has taken
way too seriously!!)

How Airtel Zero Works?
As mentioned on the Airtel Website-

1. Mobile app makers register with ‘Airtel Zero’ to give customers toll-free access to their apps.
2. Airtel informs customers about these toll-free apps.
3. Customers download and access these apps at zero data charges – and enjoy their favorite online tasks (e.g. entertainment, shopping) for free – even at zero mobile balance.

Consequences of this scheme
The bigger tech giants can pay more to the operators so that its users become more
comfortable in using their service which will drastically affect the start up companies
which are paying normally. The start up companies might not bring any more creative idea
since they will not get their user base.
Just think that
“X” company is paying more to Airtel against “Y” company to offer more speed to the
“Y” company is paying more to Vodafone against “X” company to offer more speed to
the consumers.
You have Airtel but want to use Y’s services. What will you do?

What you can do?
TRAI has released a consultation paper(You can access its brief version: https://docs.google.com/document/d/1kNXtANR9UV6fSjV2DNrkcIMAJVVN4CJfHHiq_0kkx8E/preview?sle=true&pli=1) with 118 pages along with 20 questions with a sparkling headline “Regulatory Framework for Over-the-top (OTT) services“.

You have to send your response against it by clicking on
savetheinternet (http://www.savetheinternet.in) and do two simple steps. And your part is done.

Here is a really nice video by AIB and John Oliver Show to further understand about it.

Last but not the least, I cant resist to sign off without sharing this..

Courtesy: The Logical Indian