Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clickjacking detection #8000

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
2 participants
@Drx51
Copy link

Drx51 commented Feb 23, 2017

Hello,

I've made a module to test the clickjacking.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use auxiliary/scanner/http/detect_clickjacking
  • set verbose yes
  • set RHOSTS
  • set checkurl http....
  • set VeriFiconnect yes
  • set VeruFyConnect true
  • run

In Msfconsole

msf auxiliary(detect_clickjacking) > run

[] XXX.XXX.XX.XXX:80 -Clickjacking testing in progress... [CONNECT]xxxx.fr:80]
[
] XXX.XXX.XX.XXX:80 - Returns with '302' status code [CONNECT][xxx.fr:80]
[+] XXX.XXX.XX.XXX:80 - Potentially vulnerable to clickjacking [302][CONNECT]
|_X-Frame-Options:
[] Scanned 1 of 1 hosts (100% complete)
[
] Auxiliary module execution completed

Best Wishes

`require 'msf/core'

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::WmapScanServer
include Msf::Auxiliary::Report

def initialize(info = {})
super(update_info(info,
'Name' => 'clickjacking_detector',
'Description' => %q{
This module checks if a website is vulnerable to a clickjacking attack.
},
'References' =>
[
['URL', 'https://fr.wikipedia.org/wiki/D%C3%A9tournement_de_clic'],
],
'Author' => 'DRX_51',
'License' => MSF_LICENSE
))

register_options(
  [
    Opt::RPORT(80),
    OptBool.new('MULTIPORTS', [ false, 'Multiple ports will be used: 80, 443', false ]),
    OptBool.new('VERIFYCONNECT', [ true, 'Enable CONNECT HTTP method check', false ]),
    OptString.new('CHECKURL', [ true, 'The web site to test']),
    OptString.new('VALIDCODES', [ false, "Valid HTTP code for a successfully request", '200,302' ]),
    OptString.new('VALIDPATTERN', [ true, "Valid pattern match (case-sensitive into the headers and HTML body) for a successfully request", '<TITLE>302 Moved</TITLE>' ]),
  ], self.class)

register_wmap_options({
  'OrderID' => 1,
  'Require' => {},
})

end

def run_host(target_host)

check_url = datastore['CHECKURL']

if datastore['VERIFYCONNECT']
  target_method = 'CONNECT'
  check_url = check_url.gsub(/[http:\/\/|https:\/\/]/, '')
  if check_url !~ /:80$/
    check_url = check_url + ":80"
  end
else
  target_method = 'GET'
  # GET only http request
  check_url = check_url.gsub(/https:\/\//, '')
  if check_url !~ /^http:\/\//i
    check_url = 'http://' + check_url
  end
end

target_ports = []

if datastore['MULTIPORTS']
  target_ports = [ 80, 443]
else
  target_ports.push(datastore['RPORT'].to_i)
end

target_clickjacking_headers = ['X-Frame-Options']

target_ports.each do |target_port|
  verify_target(target_host,target_port,target_method,check_url,target_clickjacking_headers)
end

end

def verify_target(target_host,target_port,target_method,check_url,target_clickjacking_headers)

vprint_status("#{peer} -Clickjacking testing in progress... [#{target_method}][#{check_url}]")

datastore['RPORT'] = target_port

begin
  res = send_request_cgi(
    'uri'     => check_url,
    'method'  => target_method,
    'version' => '1.1'
  )

  return if not res

  vprint_status("#{peer} - Returns with '#{res.code}' status code [#{target_method}][#{check_url}]")

  valid_codes = datastore['VALIDCODES'].split(/,/)

  target_clickjacking_headers_results = []
  target_clickjacking_headers.each do |clickjacking_header|
    #if (res.headers.to_s.match(/#{target_clickjacking_headers}: (.*)/))
      clickjacking_header_value = $1
      target_clickjacking_headers_results.push("\n                |_#{clickjacking_header}: #{clickjacking_header_value}")
    end

  report_note(
        :type   => 'Missing Security Header ',
        :data   => 'X-Frame-Options (CONNECT)',
      )
  end

  if target_clickjacking_headers_results.any?
    clickjacking_headers = target_clickjacking_headers_results.join()
  end

  if datastore['VERIFYCONNECT']
    # Verifiying CONNECT we check only the return code
    if valid_codes.include?(res.code.to_s)

      print_good("#{peer} - Potentially vulnerable to clickjacking [#{res.code}][#{target_method}]#{clickjacking_headers}")

      report_note(
        :host   => target_host,
        :port   => target_port,
        :method => target_method,
        :proto  => 'tcp',
        :sname  => (ssl ? 'https' : 'http'),
        :type   => 'Missing Security Header ',
        :data   => 'X-Frame-Options (CONNECT)',
      )

    end
  else
    # Verify return code && (headers.pattern or body.pattern)
   if valid_codes.include?(res.code.to_s) && (res.headers.include?(datastore['VALIDPATTERN']) || res.body.include?(datastore['VALIDPATTERN']))

      print_good("#{peer} - Potentially vulnerable to clickjacking [#{res.code}][#{target_method}]#{clickjacking_headers}")

      report_note(
        :host   => target_host,
        :port   => target_port,
        :method => target_method,
        :proto  => 'tcp',
        :sname  => (ssl ? 'https' : 'http'),
        :type   => 'Missing Security Header',
        :data   => 'X-Frame-Options (GET)'
      )

    end
  end

rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
  vprint_error("#{peer} - The port '#{target_port}' is unreachable ;")
  return nil
end

end

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 23, 2017

Hi, this isn't a proper pull request. Please see our contributing guide and try again. Thanks!

https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md

@busterb busterb closed this Feb 23, 2017

@Drx51

This comment has been minimized.

Copy link
Author

Drx51 commented Feb 23, 2017

Hi. Ok, thanks for your message.
I pass msftidy and I've got 2 errors :)

[WARNING] Space-Tab mixed indent: " \t report_note(\n"
[WARNING] Spaces at EOL

What is exacly 'cause I don't understand. My code runs well.

@Drx51

This comment has been minimized.

Copy link
Author

Drx51 commented Feb 23, 2017

Re,
Do I have to re do a pull request ? If yes, where can I do it ? at the same place ?

Thanks again

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 23, 2017

A pull request should contain your code as a commit to a feature branch in your own fork.

So, you should do this:

git checkout -b my-cool-new-feature
git add modules/my-cool-new-module
git commit
git push

Then, use github to submit a pull request that contains your code as a commit on your branch. In this PR, you sent us an empty commit on master that contained no code at all. Pasting your code into the description is not the correct way to use github.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 23, 2017

In other words, if you see this line at the top of your PR:

Drx51  wants to merge 1 commit into rapid7:master from Drx51:master

it's wrong, because we can't accept merges from someone else's master branch. Also, if you click the 'Files changed' tab and there is no code, it's also not something we can handle.

@Drx51

This comment has been minimized.

Copy link
Author

Drx51 commented Feb 23, 2017

Ah ok. I understand. So, Two things : 1, the first is by github itself and the second thing by git command ? isn't it ?

Ok busterb. Thanks for your answers.

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 23, 2017

Well, opposite of that. You will need to create a branch on your fork using the 'git' command, commit your module, then push that branch to github. Once you have done that, you can create a new PR that points to your branch containing your code.

This is a pretty good and simple tutorial in multiple languages if you need some help with that: https://rogerdudler.github.io/git-guide/

Sorry if it seems complex, it's really pretty simple once you get the hang of it!

@busterb busterb referenced this pull request May 8, 2018

Merged

include example of why PRs from master are bad #9996

0 of 1 task complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.