search

D4Vinci / Clickjacking-Tester

A python script designed to check if the website if vulnerable of clickjacking and create a poc
GNU General Public License v3.0
136 stars 60 forks source link

Changes required in your Clickjacking_Tester.py #6

Closed SkyNpEH closed 2 years ago

SkyNpEH commented 3 years ago

Hello @D4Vinci , your tool is great.

You wrote this python script by considering user have to put http:// before website name in their sites.txt file, But if we put http:// before www.example.com then we get following error:

┌──(kali㉿kali)-[~/Clickjacking-Tester]
└─$ python3 Clickjacking_Tester.py /home/kali/Desktop/sites.txt  148 ⨯ 1 ⚙

[*] Checking http://www.example.com
 [+] Website is vulnerable!
Traceback (most recent call last):
  File "/home/kali/Clickjacking-Tester/Clickjacking_Tester.py", line 58, in <module>
    if __name__ == '__main__': main()
  File "/home/kali/Clickjacking-Tester/Clickjacking_Tester.py", line 52, in main
    create_poc(site.split('\n')[0])
  File "/home/kali/Clickjacking-Tester/Clickjacking_Tester.py", line 35, in create_poc
    with open(url + ".html", "w") as f:
FileNotFoundError: [Errno 2] No such file or directory: 'http://www.example.com.html'

This is because Linux OS not allowing users to create file with name http:// in the beginning. This only happens if we put http:// before website name like below.

gitbug1

But in order to create a file with name url + ".html", i can remove http:// from my website in sites.txt. Example: www.example.com

Now, I can successfully create a file in Kali linux with name www.example.com.html .

But, New big issue arise here after doing this, The <iframe> tag inside HTML file will be generated like this: <iframe src="www.example.com" width="500" height="500"></iframe> and if u open your generated www.example.com.html file then example.com will not load inside the iframe because, in order to open example.com you must have http:// in your website in src attribute. like this: src="http://www.example.com"

But user can't write http:// before websites name in sites.txt file because then .html file won't be created because of filename error in Kali Linux.

SOLUTION:

To solve the issue best solution i found is, by modifying the Clickjacking_Tester.py a little bit like below:

BEFORE Modification Clickjacking_Tester.py (With an Issue):

...

 def create_poc(url):
    ''' create HTML page of given URL '''

    code = """
<html>
   <head><title>Clickjack test page</title></head>
   <body>
     <p>Website is vulnerable to clickjacking!</p>
     <iframe src="{}" width="500" height="500"></iframe>
   </body>
</html>
    """.format(url)

    with open(url + ".html", "w") as f:
        f.write(code)
        f.close()
...

AFTER Modification Clickjacking_Tester.py (Without any Issue):

...

 def create_poc(url):
    ''' create HTML page of given URL '''

    code = """
<html>
   <head><title>Clickjack test page</title></head>
   <body>
     <p>Website is vulnerable to clickjacking!</p>
     <iframe src="http://{}" width="500" height="500"></iframe>
   </body>
</html>
    """.format(url)

    with open(url + ".html", "w") as f:
        f.write(code)
        f.close()
...

You just have to add http:// in <iframe src="http://{}" ... , So that the automatically generated .html files by Clickjacking-Tester can contain <iframe src="http://www.example.com" ...> instead of <iframe src="www.example.com" ...> so that targeted website will load inside <iframe>.

I hope i'm making some sense here. 😃 Please consider this.

Kind Regards, Sujit