References updated for API, Business, Clickjacking, CSPT, Command

Injection

Clickjacking/README.md

@@ -1,4 +1,4 @@
-# Clickjacking: Web Application Security Vulnerability
+# Clickjacking
 
 > Clickjacking is a type of web security vulnerability where a malicious website tricks a user into clicking on something different from what the user perceives,
 > potentially causing the user to perform unintended actions without their knowledge or consent. Users are tricked into performing all sorts of unintended actions
@@ -6,25 +6,27 @@
 > that a normal user can do on a legitimate website can be done using clickjacking.
 
 ## Summary
+
 * [Tools](#tools)
 * [Methodology](#methodology)
-  * [UI Redressing](#ui-redressing)
-  * [Invisible Frames](#invisible-frames)
-  * [Button/Form Hijacking](#buttonform-hijacking)
-  * [Execution Methods](#execution-methods)
+    * [UI Redressing](#ui-redressing)
+    * [Invisible Frames](#invisible-frames)
+    * [Button/Form Hijacking](#buttonform-hijacking)
+    * [Execution Methods](#execution-methods)
 * [Preventive Measures](#preventive-measures)
-  * [Implement X-Frame-Options Header](#implement-x-frame-options-header)
-  * [Content Security Policy (CSP)](#content-security-policy-csp)
-  * [Disabling JavaScript](#disabling-javascript)
+    * [Implement X-Frame-Options Header](#implement-x-frame-options-header)
+    * [Content Security Policy (CSP)](#content-security-policy-csp)
+    * [Disabling JavaScript](#disabling-javascript)
 * [OnBeforeUnload Event](#onbeforeunload-event)
 * [XSS Filter](#xss-filter)
-  * [IE8 XSS filter](#ie8-xss-filter)
-  * [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter)
+    * [IE8 XSS filter](#ie8-xss-filter)
+    * [Chrome 4.0 XSSAuditor filter](#chrome-40-xssauditor-filter)
 * [Challenge](#challenge)
 * [Practice Environments](#practice-environments)
 * [Reference](#references)
 
 ## Tools
+
 * [Burp Suite](https://portswigger.net/burp)
 * [OWASP ZAP](https://github.com/zaproxy/zaproxy)
 * [Clickjack](https://github.com/machine1337/clickjack)
@@ -32,9 +34,11 @@
 ## Methodology
 
 ### UI Redressing
+
 UI Redressing is a Clickjacking technique where an attacker overlays a transparent UI element on top of a legitimate website or application. 
 The transparent UI element contains malicious content or actions that are visually hidden from the user. By manipulating the transparency and positioning of elements, 
 the attacker can trick the user into interacting with the hidden content, believing they are interacting with the visible interface.
+
 * **How UI Redressing Works:**
   * Overlaying Transparent Element: The attacker creates a transparent HTML element (usually a `<div>`) that covers the entire visible area of a legitimate website. This element is made transparent using CSS properties like `opacity: 0;`.
   * Positioning and Layering: By setting the CSS properties such as `position: absolute; top: 0; left: 0;`, the transparent element is positioned to cover the entire viewport. Since it's transparent, the user doesn't see it.
@@ -47,11 +51,13 @@ the attacker can trick the user into interacting with the hidden content, believ
 ```
 
 ### Invisible Frames
+
 Invisible Frames is a Clickjacking technique where attackers use hidden iframes to trick users into interacting with content from another website unknowingly. 
 These iframes are made invisible by setting their dimensions to zero (height: 0; width: 0;) and removing their borders (border: none;). 
 The content inside these invisible frames can be malicious, such as phishing forms, malware downloads, or any other harmful actions.
 
 * **How Invisible Frames Work:**
+
   * Hidden IFrame Creation: The attacker includes an `<iframe>` element in a webpage, setting its dimensions to zero and removing its border, making it invisible to the user.
     ```html
     <iframe src="malicious-site" style="opacity: 0; height: 0; width: 0; border: none;"></iframe>
@@ -62,6 +68,7 @@ The content inside these invisible frames can be malicious, such as phishing for
 
 
 ### Button/Form Hijacking
+
 Button/Form Hijacking is a Clickjacking technique where attackers trick users into interacting with invisible or hidden buttons/forms, leading to unintended actions on a legitimate website. By overlaying deceptive elements on top of visible buttons or forms, attackers can manipulate user interactions to perform malicious actions without the user's knowledge.
 
 * **How Button/Form Hijacking Works:**
@@ -89,39 +96,47 @@ Button/Form Hijacking is a Clickjacking technique where attackers trick users in
     ```
 
 ### Execution Methods
+
 * Creating Hidden Form: The attacker creates a hidden form containing malicious input fields, targeting a vulnerable action on the victim's website. This form remains invisible to the user.
+
 ```html
   <form action="malicious-site" method="POST" id="hidden-form" style="display: none;">
   <input type="hidden" name="username" value="attacker">
   <input type="hidden" name="action" value="transfer-funds">
   </form>
 ```
+
 * Overlaying Visible Element: The attacker overlays a visible element (button or form) on their malicious page, encouraging users to interact with it. When the user clicks the visible element, they unknowingly trigger the hidden form's submission.
   * Example in javascript:
- ```js
+  ```js
     function submitForm() {
-  document.getElementById('hidden-form').submit();
-  }
-```
+      document.getElementById('hidden-form').submit();
+    }
+  ```
 
 
 ## Preventive Measures
 
 ### Implement X-Frame-Options Header
+
 Implement the X-Frame-Options header with the DENY or SAMEORIGIN directive to prevent your website from being embedded within an iframe without your consent.
+
 ```apache
 Header always append X-Frame-Options SAMEORIGIN
 ```
 
 ### Content Security Policy (CSP)
+
 Use CSP to control the sources from which content can be loaded on your website, including scripts, styles, and frames. 
 Define a strong CSP policy to prevent unauthorized framing and loading of external resources.
 Example in HTML meta tag:
+
 ```html
 <meta http-equiv="Content-Security-Policy" content="frame-ancestors 'self';">
 ```
 
 ### Disabling JavaScript
+
 * Since these type of client side protections relies on JavaScript frame busting code, if the victim has JavaScript disabled or it is possible for an attacker to disable JavaScript code, the web page will not have any protection mechanism against clickjacking.
 * There are three deactivation techniques that can be used with frames:
   * Restricted frames with Internet Explorer: Starting from IE6, a frame can have the "security" attribute that, if it is set to the value "restricted", ensures that JavaScript code, ActiveX controls, and re-directs to other sites do not work in the frame.
@@ -134,6 +149,7 @@ Example in HTML meta tag:
   ```
 
 ## OnBeforeUnload Event
+
 * The `onBeforeUnload` event could be used to evade frame busting code. This event is called when the frame busting code wants to destroy the iframe by loading the URL in the whole web page and not only in the iframe. The handler function returns a string that is prompted to the user asking confirm if he wants to leave the page. When this string is displayed to the user is likely to cancel the navigation, defeating target’s frame busting attempt.
 
 * The attacker can use this attack by registering an unload event on the top page using the following example code:
@@ -192,6 +208,7 @@ This filter has visibility into all parameters of each request and response flow
   ```
 
 ### Chrome 4.0 XSSAuditor filter
+
 It has a little different behaviour compared to IE8 XSS filter, in fact with this filter an attacker could deactivate a “script” by passing its code in a request parameter. This enables the framing page to specifically target a single snippet containing the frame busting code, leaving all the other codes intact.
   Attacker View:
   ```html
@@ -199,6 +216,7 @@ It has a little different behaviour compared to IE8 XSS filter, in fact with thi
   ```
 
 ## Challenge
+
 Inspect the following code:
 ```html
 <div style="position: absolute; opacity: 0;">
@@ -206,16 +224,19 @@ Inspect the following code:
 </div>
 <button onclick="document.getElementsByTagName('iframe')[0].contentWindow.location='malicious-site.com';">Click me</button>
 ```
+
 Determine the Clickjacking vulnerability within this code snippet. Identify how the hidden iframe is being used to exploit the user's actions when they click the button, leading them to a malicious website.
 
 
 ## Practice Environments
+
 * [OWASP WebGoat](https://owasp.org/www-project-webgoat/)
 * [Client Side Clickjacking Test](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/09-Testing_for_Clickjacking)
 
+
 ## References
-* [Clickjacker.io - Saurabh Banawar](https://clickjacker.io)
-* [Web-Security Clickjacking - PortSwigger](https://portswigger.net/web-security/clickjacking)
-* [Synopsys Clickjacking](https://www.synopsys.com/glossary/what-is-clickjacking.html#B)
-* [OWASP - Gustav Rydstedt](https://owasp.org/www-community/attacks/Clickjacking)
-* [SecTheory](http://www.sectheory.com/clickjacking.htm)
+
+- [Clickjacker.io - Saurabh Banawar - May 10, 2020](https://clickjacker.io)
+- [Clickjacking - Gustav Rydstedt - April 28, 2020](https://owasp.org/www-community/attacks/Clickjacking)
+- [Synopsys Clickjacking - BlackDuck - November 29, 2019](https://www.synopsys.com/glossary/what-is-clickjacking.html#B)
+- [Web-Security Clickjacking - PortSwigger - October 12, 2019](https://portswigger.net/web-security/clickjacking)