Clickjacking detection

[SaxHornet]

Hello,

I've made a module to test the clickjacking.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use auxiliary/scanner/http/detect_clickjacking
• set verbose yes
• set RHOSTS
• set checkurl http....
• set VeriFiconnect yes
• set VeruFyConnect true
• run

In Msfconsole

msf auxiliary(detect_clickjacking) > run

[] XXX.XXX.XX.XXX:80 -Clickjacking testing in progress... [CONNECT]xxxx.fr:80]
[] XXX.XXX.XX.XXX:80 - Returns with '302' status code [CONNECT][xxx.fr:80]
[+] XXX.XXX.XX.XXX:80 - Potentially vulnerable to clickjacking [302][CONNECT]
|_X-Frame-Options:
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed

Best Wishes

`require 'msf/core'

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::WmapScanServer
include Msf::Auxiliary::Report

def initialize(info = {})
super(update_info(info,
'Name' => 'clickjacking_detector',
'Description' => %q{
This module checks if a website is vulnerable to a clickjacking attack.
},
'References' =>
[
['URL', 'https://fr.wikipedia.org/wiki/D%C3%A9tournement_de_clic'],
],
'Author' => 'DRX_51',
'License' => MSF_LICENSE
))

register_options(
  [
    Opt::RPORT(80),
    OptBool.new('MULTIPORTS', [ false, 'Multiple ports will be used: 80, 443', false ]),
    OptBool.new('VERIFYCONNECT', [ true, 'Enable CONNECT HTTP method check', false ]),
    OptString.new('CHECKURL', [ true, 'The web site to test']),
    OptString.new('VALIDCODES', [ false, "Valid HTTP code for a successfully request", '200,302' ]),
    OptString.new('VALIDPATTERN', [ true, "Valid pattern match (case-sensitive into the headers and HTML body) for a successfully request", '<TITLE>302 Moved</TITLE>' ]),
  ], self.class)

register_wmap_options({
  'OrderID' => 1,
  'Require' => {},
})

end

def run_host(target_host)

check_url = datastore['CHECKURL']

if datastore['VERIFYCONNECT']
  target_method = 'CONNECT'
  check_url = check_url.gsub(/[http:\/\/|https:\/\/]/, '')
  if check_url !~ /:80$/
    check_url = check_url + ":80"
  end
else
  target_method = 'GET'
  # GET only http request
  check_url = check_url.gsub(/https:\/\//, '')
  if check_url !~ /^http:\/\//i
    check_url = 'http://' + check_url
  end
end

target_ports = []

if datastore['MULTIPORTS']
  target_ports = [ 80, 443]
else
  target_ports.push(datastore['RPORT'].to_i)
end

target_clickjacking_headers = ['X-Frame-Options']

target_ports.each do |target_port|
  verify_target(target_host,target_port,target_method,check_url,target_clickjacking_headers)
end

end

def verify_target(target_host,target_port,target_method,check_url,target_clickjacking_headers)

vprint_status("#{peer} -Clickjacking testing in progress... [#{target_method}][#{check_url}]")

datastore['RPORT'] = target_port

begin
  res = send_request_cgi(
    'uri'     => check_url,
    'method'  => target_method,
    'version' => '1.1'
  )

  return if not res

  vprint_status("#{peer} - Returns with '#{res.code}' status code [#{target_method}][#{check_url}]")

  valid_codes = datastore['VALIDCODES'].split(/,/)

  target_clickjacking_headers_results = []
  target_clickjacking_headers.each do |clickjacking_header|
    #if (res.headers.to_s.match(/#{target_clickjacking_headers}: (.*)/))
      clickjacking_header_value = $1
      target_clickjacking_headers_results.push("\n                |_#{clickjacking_header}: #{clickjacking_header_value}")
    end

  report_note(
        :type   => 'Missing Security Header ',
        :data   => 'X-Frame-Options (CONNECT)',
      )
  end

  if target_clickjacking_headers_results.any?
    clickjacking_headers = target_clickjacking_headers_results.join()
  end

  if datastore['VERIFYCONNECT']
    # Verifiying CONNECT we check only the return code
    if valid_codes.include?(res.code.to_s)

      print_good("#{peer} - Potentially vulnerable to clickjacking [#{res.code}][#{target_method}]#{clickjacking_headers}")

      report_note(
        :host   => target_host,
        :port   => target_port,
        :method => target_method,
        :proto  => 'tcp',
        :sname  => (ssl ? 'https' : 'http'),
        :type   => 'Missing Security Header ',
        :data   => 'X-Frame-Options (CONNECT)',
      )

    end
  else
    # Verify return code && (headers.pattern or body.pattern)
   if valid_codes.include?(res.code.to_s) && (res.headers.include?(datastore['VALIDPATTERN']) || res.body.include?(datastore['VALIDPATTERN']))

      print_good("#{peer} - Potentially vulnerable to clickjacking [#{res.code}][#{target_method}]#{clickjacking_headers}")

      report_note(
        :host   => target_host,
        :port   => target_port,
        :method => target_method,
        :proto  => 'tcp',
        :sname  => (ssl ? 'https' : 'http'),
        :type   => 'Missing Security Header',
        :data   => 'X-Frame-Options (GET)'
      )

    end
  end

rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
  vprint_error("#{peer} - The port '#{target_port}' is unreachable ;")
  return nil
end

end

[busterb]

Hi, this isn't a proper pull request. Please see our contributing guide and try again. Thanks!

https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md

[SaxHornet]

Hi. Ok, thanks for your message.
I pass msftidy and I've got 2 errors :)

[WARNING] Space-Tab mixed indent: " \t report_note(\n"
[WARNING] Spaces at EOL

What is exacly 'cause I don't understand. My code runs well.

[SaxHornet]

Re,
Do I have to re do a pull request ? If yes, where can I do it ? at the same place ?

Thanks again

[busterb]

A pull request should contain your code as a commit to a feature branch in your own fork.

So, you should do this:

git checkout -b my-cool-new-feature
git add modules/my-cool-new-module
git commit
git push

Then, use github to submit a pull request that contains your code as a commit on your branch. In this PR, you sent us an empty commit on master that contained no code at all. Pasting your code into the description is not the correct way to use github.

[busterb]

In other words, if you see this line at the top of your PR:

Drx51  wants to merge 1 commit into rapid7:master from Drx51:master

it's wrong, because we can't accept merges from someone else's master branch. Also, if you click the 'Files changed' tab and there is no code, it's also not something we can handle.

[SaxHornet]

Ah ok. I understand. So, Two things : 1, the first is by github itself and the second thing by git command ? isn't it ?

Ok busterb. Thanks for your answers.

[busterb]

Well, opposite of that. You will need to create a branch on your fork using the 'git' command, commit your module, then push that branch to github. Once you have done that, you can create a new PR that points to your branch containing your code.

This is a pretty good and simple tutorial in multiple languages if you need some help with that: https://rogerdudler.github.io/git-guide/

Sorry if it seems complex, it's really pretty simple once you get the hang of it!