@@intigriti Neither the video or the solution provided by PortSwigger explains this. I had the same issue even though I did everything exactly like in the video and the PortSwigger solution. The explanation is that cookies are not embedded in s anymore, so injecting your payload would lead to be unauthenticated inside the .
it looks so easy but my screen keeps going to the log in screen instead of staying on the my account screen when i put my account id in the exploit server body?
Unfortunately, due to the misuse (not proofing impact) of this finding, most customers started to put that vulnerability on the out-of-scope list. There are still customers which accept a well-explained clickjacking vulnerability which demonstrates high impact.
This worked just fine on Firefox. Can't you use the source code to alter the attack and foil the attacker the same way as in the lab? Thanks a bunch It made the lab easy!
This means you are not logged in as the user, could be many things that went wrong. I'd recommend double-checking the steps in the video and/or the official portswigger solution.
@@intigriti As I've answered in a comment above, neither the video or the solution provided by PortSwigger explains this. I had the same issue even though I did everything exactly like in the video and the PortSwigger solution. The explanation is that cookies are not embedded in s anymore, so injecting your payload would lead to be unauthenticated inside the . Maybe you can add an explanation somewhere because I can see a lot of comments of people having this issue. On Firefox we can just log in inside the to solve the issue, but using Chrome we can't even do this so the challenge is hardly solvable.
How does the user goes to that exlpoited page , will he click any button , i don't understand can you please explain 😢😢, do the user know that he is deleting his account
With clickjacking, the idea is that the victim would be tricked into visiting a malicious site (or maybe even a benign site that has been compromised, or has some malvertising) and would be encouraged to click somewhere on the screen, e.g. maybe to close a popup window. Little do they know, an invisible frame is overlaid for another website they are currently logged into so that when they click, they are actually performing some action on that website. An example might be an account-deletion page on a social media site.
In both Chrome or Firefox I do not manage to modify the height of the iFrame, it stays at about 100px, and a scrollbar appears on the right. Hence I never can align the div...
Your explanation is too good a new sub added god bless you brother and can explain the please Lab: CORS vulnerability with internal network pivot attack like what are the 4 scripts are and how it works
Oh my god, this lab is the worst. It says: "To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The lab is solved when the account is deleted." I created the page locally and a fake button that wraps the exactly above the delete button, so that this fake button can be placed anywhere not just at the exact position like in this video. Still after deleting the account (as mentioned in the task), the solution says that I shouldn't have deleted it ))
You made this so easy to understand! Not just the attack but how to actually perform it! Well done and thank you!
Thank you so much for your kind words 🥰
Very helpful explanation, thank you! :)
You're very welcome! We love your channel btw, keep up the good work 😇
The seems not carring the cookies of browser.
I need to login again in the when viewing the exploit, am I doing something wrong?
Thx!
It's hard to tell without seeing what you are doing but please go over the video again slowly and see if you missed anything! :)
@@intigriti Neither the video or the solution provided by PortSwigger explains this. I had the same issue even though I did everything exactly like in the video and the PortSwigger solution. The explanation is that cookies are not embedded in s anymore, so injecting your payload would lead to be unauthenticated inside the .
it looks so easy but my screen keeps going to the log in screen instead of staying on the my account screen when i put my account id in the exploit server body?
Thanks for the tutorial! Do you think people need to know web development to understand clickjacking?
It will definitely help! Same with all web vulnerabilities really 🙂
Are there any programs on platform which still accept clickjacking? I doubt so.
Unfortunately, due to the misuse (not proofing impact) of this finding, most customers started to put that vulnerability on the out-of-scope list. There are still customers which accept a well-explained clickjacking vulnerability which demonstrates high impact.
This worked just fine on Firefox. Can't you use the source code to alter the attack and foil the attacker the same way as in the lab? Thanks a bunch It made the lab easy!
Excellent tutorial! Thank you very much :D
You're very welcome! 😇
Nice one @intigriti 👍
Thank you for your words 💙
my lab id shows the login button rather the update and delete button..what may be the problem
This means you are not logged in as the user, could be many things that went wrong. I'd recommend double-checking the steps in the video and/or the official portswigger solution.
@@intigriti As I've answered in a comment above, neither the video or the solution provided by PortSwigger explains this. I had the same issue even though I did everything exactly like in the video and the PortSwigger solution. The explanation is that cookies are not embedded in s anymore, so injecting your payload would lead to be unauthenticated inside the . Maybe you can add an explanation somewhere because I can see a lot of comments of people having this issue. On Firefox we can just log in inside the to solve the issue, but using Chrome we can't even do this so the challenge is hardly solvable.
Helped me to understand, THanks
Glad to hear that!
How does the user goes to that exlpoited page , will he click any button , i don't understand can you please explain 😢😢, do the user know that he is deleting his account
With clickjacking, the idea is that the victim would be tricked into visiting a malicious site (or maybe even a benign site that has been compromised, or has some malvertising) and would be encouraged to click somewhere on the screen, e.g. maybe to close a popup window. Little do they know, an invisible frame is overlaid for another website they are currently logged into so that when they click, they are actually performing some action on that website. An example might be an account-deletion page on a social media site.
In both Chrome or Firefox I do not manage to modify the height of the iFrame, it stays at about 100px, and a scrollbar appears on the right. Hence I never can align the div...
Have you checked your script yet that you copy in the browser and tried to adapt its values?
Your explanation is too good a new sub added god bless you brother and can explain the please Lab: CORS vulnerability with internal network pivot attack like what are the 4 scripts are and how it works
Hi there, thank you very much for your words. 😇 We will eventually cover the CORS lab you are referring to. Keep your eyes open on our channel!
Oh my god, this lab is the worst.
It says: "To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The lab is solved when the account is deleted."
I created the page locally and a fake button that wraps the exactly above the delete button, so that this fake button can be placed anywhere not just at the exact position like in this video. Still after deleting the account (as mentioned in the task), the solution says that I shouldn't have deleted it ))
The lab is provided by Portswigger. Please share your feedback with them to give them a chance to make it better 😇
@@intigriti Yep, but since they use your video as a community solution it's just the fastest way to leave the feedback 😛
Thank you, but I did all the same things but the state would not change to solved!
Why always every one out of scope text injection? 😭
We are not sure if we understand your question 👀 Feel free to elaborate a little more.
@@intigriti out of scope : content spoofing or text injection without showing attack vector or able to modify html .
New look 😍
Hahaha, are you referring to Pascal?
@@intigriti Not that much!✨
I subscribed after I heard his voice. LOL
That is soo kind of you 😇
Does this fall under social engineering?
No, because you don't have any human interaction in this case. Social engineering always includes a 1-1 human interaction of any sort.
Why 0.000001 and not just 0?
Yeah you could do that too :) hahaha
@@intigriti Sometimes browsers will prevent the attack if you set the opacity to 0. 0.000001 is to work around the built in browser protections
👍😎
hey there 👋
@@intigriti 👋
god
💜
Click jacking earing
Not sure if we understand what you mean!
Earring
Not sure if we understand :)
Clickjacking is commenting first like me
Yeih 😇